On 10 November 2022, the European Parliament approved the second network and information systems directive (“NIS2”). Once approved by the Council of the European Union, NIS2 will expand the applicability of the existing NIS Directive and impose updated cybersecurity obligations (in particular on supply chain security and incident reporting) on entities in a wide range of sectors designated as critical infrastructure.
In this Debevoise Data Blog post, we explore who NIS2 will affect, its key provisions and steps that businesses can consider to enhance their compliance programs in anticipation of the changes.
Our key takeaways are:
- Business should consider whether NIS2 is likely to apply: the scope of the directive has been significantly expanded, and many more businesses operating in Europe will be covered than before.
- If covered, businesses should begin to prepare or evaluate existing governance frameworks and cyber-incident management policies that comply with the core principles of NIS2: while detailed requirements will follow with Member State implementation, the core requirements are now clear.
Operators of essential services such as banks, healthcare, energy, water and digital service providers for cloud services and online marketplaces are already regulated under the NIS Directive.
NIS2 significantly extends the scope to cover entities involved in waste-water management; public administration; digital infrastructure (data centre service providers, content delivery service providers, trust service providers, public electronic communications networks or electronic communications services providers); space; postal and courier services; waste management; manufacture, production and distribution of chemicals; food production, processing and distribution; and
manufacturing (medical devices, electronic and electrical equipment, machinery, motor vehicles, transport equipment) as well as digital providers (social networking services platforms).
NIS2 will create a two-tier supervisory regime. Entities will be categorised into “essential entities” (“EEs”) and “important entities” (“IEs”). EEs will be those operating in key sectors such as healthcare, energy and transport and will be supervised proactively. IEs, such as critical product manufacturers and postal services, will be under a reactive supervisory regime.
Further, while under the existing NIS directive Member States could determine the criteria to identify covered entities, under NIS2, all medium and large entities are covered (i.e., those with more than 50 employees and an annual turnover exceeding €10 million). Certain types of entities will be required to comply with NIS2 regardless of size, including those in public administration, public electronic communications networks and DNS services and entities that are the sole provider of a service in a Member State.
What are the key obligations?
Once implemented into Member State law, key obligations include:
- Incident Reporting: NIS2 establishes a two-stage reporting framework. Covered entities must submit an initial notification within 24 hours of becoming aware of “any event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems,” followed by a final report no later than one month later. The initial notification only needs to include the information strictly necessary to make the competent authorities aware of the incident and allow the entity to seek assistance as required and should indicate whether the incident is thought to have been caused by unlawful or malicious action. By contrast, the final report should include: (i) a detailed description of the incident, its severity and its impact; (ii) the type of threat or likely root cause; and (iii) details of actual and planned mitigation measures.
- Security Requirements: NIS2 requires that EEs and IEs take “appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems” they use to provide their services. These measures must include policies, procedures and governance structures covering at least: (i) risk analysis and information system security; (ii) incident handling; (iii) business continuity and crisis management; (iv) supply chain security; (v) vulnerability handling and disclosure; (vi) assessment of risk management measures effectiveness; and (vii) encryption.
- Mandatory Management Oversight: Covered entities’ management bodies (e.g., boards) will have to approve and supervise the implementation of the cybersecurity risk-management measures and complete regular mandatory cybersecurity-related training to enable them to discharge their oversight functions.
What are the penalties for breach?
When implementing NIS2, Member States will have to ensure that competent regulators have enforcement powers including at least being able to order businesses to:
- Pay fines up to the higher of €10 million or 2% of the total worldwide annual turnover of the undertaking to which the essential or important entity belongs in the preceding financial year;
- Cease noncompliant conduct and/or bring risk-management measures and/or reporting obligations in compliance in a specified manner and within a specified period;
- Make noncompliance public, including issuing public statements identifying the persons responsible for, and the nature of, infringements; and
- Work with a designated monitoring officer to oversee compliance over a period of time.
What should businesses do to prepare?
Member States will have 18 months from the adoption on NIS2 to implement the Directive.
- Businesses should consider whether NIS2 is likely to apply by: (i) assessing their activities against the sector lists in Annex 1 and 2 to NIS2; and (ii) evaluating whether the business meets the size threshold (i.e., more than 50 employees and an annual turnover exceeding €10 million, unless that requirement is disapplied).
- If businesses are already covered by NIS or are likely to be subject to NIS2, they should begin to prepare or evaluate existing governance frameworks and cyber incident management policies that comply with the core principles of NIS2 in anticipation of more detailed Member State laws.
Developments in the US
Covered entities may wish to consider how NIS2 overlaps with existing and forthcoming regulation in other jurisdictions.
In the United States, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”) was signed into law in March 2022. The Act requires critical infrastructure entities to report covered cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours and report ransom payments to CISA within 24 hours of payment. CISA will have to undertake rulemaking to define key elements, including what types of entities constitute critical infrastructure, how a cybersecurity incident is defined, and what should be included in reports to CISA. Unlike NIS2, the Act does not create substantive cybersecurity obligations outside of incident reporting. Under the Act, the scope of covered entities is limited to critical infrastructure sectors, including the chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and waste water systems sectors. See our blog post for the key takeaways on the Act.
The authors would like to thank legal trainee Maria Santos for her contribution to this article.
To subscribe to the Data Blog, click here.