Cybersecurity has become an increasingly discussed topic in Europe and is more and more valued and controlled on a business level by most companies operating in the EU market. The reason for this rising trend can certainly be traced back to the impressive rate of cyber attacks, which continues to increase each year, as shown by the latest report published by ENISA, the European Union Agency for Cybersecurity (ENISA Threat Landscape 2022).
Over the past year, the unique geopolitical situation has also highlighted the fundamental role played by cybersecurity in foreign policy, and thus the importance of adequately protecting state institutions and companies operating in strategic sectors for national security from such attacks.
This situation has therefore prompted the EU legislator to update the European cybersecurity framework, which led to the approval of the new Network and Information Security (NIS) 2 Directive by the European Parliament in November 2022. On 27 December 2022, the new directive was published in the Official Journal of the European Union and it will enter into force on 16 January 2022. The previous NIS 1 Directive had been criticized on several occasions by sector experts for lacking sufficiently specific guidelines and measures, although it had introduced a common standard of defense against cyber threats in Europe.
The adoption of NIS 2, therefore, has not only broadened the scope of the directive, but has also made it possible to “harmonise cybersecurity requirements and implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state”, as the Council of the EU states in its press release.
In this article, we are going to discuss the main changes introduced by NIS 2 compared to the previous directive, as well as the most important legal obligations introduced by this law, to which EU-based companies are now subject.
Scope of application
The first new element introduced by NIS 2 concerns the scope of the directive itself: the list of sectors and activities that are subject to cybersecurity obligations has been updated. Companies falling under the scope of the NIS 1 Directive were only those operating in sectors that were considered highly critical at the time, i.e. the companies providing an „essential service, the interruption of which would have a significant impact on the performance of the economy or society“, including the energy, telecommunications, transport, banking and financial markets, and health sectors.
NIS 2 has expanded the list of sectors whose companies will have to comply with the new cybersecurity obligations, building on the criticism raised in recent years and the post-pandemic experience. The new sectors introduced are listed in Annex I “ Sectors of High Criticality“ and Annex II „Other Critical Sectors“:
- digital infrastructure and digital providers (cloud computing, data centers, providers of online marketplaces, online search engines, social networking service platforms and of public electronic communications networks);
- healthcare services (not only healthcare providers but also EU reference laboratories, entities carrying out research and development activities of medicinal products, medical products, chemicals, pharmaceuticals and medical devices)
- networks and services for public electronic communication
- postal services;
- agri-food chain.
In addition, the following also falls within the scope of application of the NIS 2:
- all medium-large enterprises in the sectors included in Annexes I and II of the directive;
- regardless of their size, if they are essential and important entities operating in key sectors (i.e. electronic communication and electronic communication networks) or entities of services which are essential for the maintenance of critical societal or economic activities.
Companies that fall under the above definition will therefore have to take appropriate TOMs (technical and organizational security measures) with respect to the management of their cyber risk, also having to prevent and minimize the impact of any security incidents suffered.
New cybersecurity risk management measures
As specified in Article 18 of the NIS 2 Directive, one of the main purposes of this new regulatory intervention is precisely to introduce new obligations and security measures in the area of risk management:
“Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services”.
In this sense, the directive provides a list of minimum measures that it considers essential to guarantee an adequate level of information security:
- risk analysis and information system security policies;
- incident handling systems;
- business continuity systems, such as backup management and disaster recovery, and crisis management;
- supply chain security management measures;
- security in the acquisition, development and maintenance of networks and information systems, including vulnerability management and disclosure;
- policies and procedures for assessing the effectiveness of cybersecurity risk management measures;
- basic IT hygiene practices (i.e., basic rules for ensuring cybersecurity) and cybersecurity training;
- policies and procedures regarding the use of encryption and, where appropriate, cryptographic encryption;
- measures on human resources security, access control policies and asset management; and
- the use of multi-factor authentication or continuous authentication solutions; secure voice, video and text communications; and secure emergency communications systems within the entity, where appropriate.
Thus, there is a general principle of adequacy of the measures to be taken, but the directive specifies the need to supplement these measures with additional ones based on a case-by-case analysis of the entities that will have to implement them, as well as on an all-hazards approach. Furthermore, Member States must further specify the obligations.
Broadening the responsibilities of stakeholders
Another important amendment is the introduction of joint liability of the providers of companies falling under NIS 2 in the event of a breach of data and systems for which they are responsible. Therefore, the suppliers of these companies are also indirectly subject to obligations to implement additional cybersecurity measures and, at the same time, companies are required to select their suppliers more carefully.
In any case, within 21 months after the entry into force of the directive, the European Commission must define the technical and methodological requirements applicable to the measures to be taken by, among others, providers of cloud computing services, data centers, online market places, search engines and social networks.
Reporting obligations and sanctions
Article 20 of the NIS2 Directive finally provides for the obligation to notify the CSIRT (Computer security incident response teams) and the competent authorities of any incident that may have a significant impact on service provision. Notification must take place in two stages, an initial „early warning“ immediate notification to the competent authorities, which must be made without undue delay and in any case within 24 hours of becoming aware of it, and a second within 72 hours to provide a detailed analysis of the incident. In line with the provisions of the GDPR, only in the most serious cases in which the cyber-attack may also directly impact the data subjects themselves, the notification must also be made to them, to warn them of the attack and to support them by indicating the measures that they are able to take to defend themselves against the attack.
Should the various competent authorities find violations of the directive, they may impose on companies the suspension of their business activities, as well as further specific prohibitions, fines of up to €10 million or 2% of the previous year’s global turnover in the case of essential companies, and fines of up to €7 million or 1.7% of global turnover in the case of important companies. However, if the incidents simultaneously constitute a data breach under the GDPR and have already been sanctioned accordingly, the sanctions under NIS 2 do not apply.
Conclusion: Which steps should companies and organizations take now?
Once published in the EU Official Journal, the Member States will have 21 months to adopt the directive at national level. Following the implementation, companies will have to be ready to comply with the new cybersecurity obligations to avoid the aforementioned sanctions.
It is important to remember that the implementation of systems and procedures capable of quickly identifying, managing and mitigating a cyber-attack constitutes a different and additional step to GDPR compliance and is fundamental to bringing your company up to optimal cybersecurity levels. For this reason, it will be important to focus on investing in the compliance process with the new NIS 2 Directive in the coming months, in order to gain not only a strategic but also a compliance advantage, which is essential to educate European companies in a proper IT and security culture.
It will be of particular importance to increasingly orientate the choice of suppliers towards reliable partners who have invested in security and compliance with industry standards.