News Update Data Protection & Cybersecurity

On 22 June 2022, the EU Member States and the European Parliament agreed on revising the EU Network and Information Security Directive: NIS2.

NIS2 increases the number of sectors covered and strengthens security requirements. Furthermore, NIS2 addresses the security of supply chains, streamlines reporting obligations and introduces more stringent supervisory measures and stricter enforcement requirements. By effectively obliging more entities and sectors to take measures, NIS2 will assist in increasing the level of cybersecurity in Europe in the longer term. The European Commission initiated the revision in response to the growing threats posed with digitalisation and the surge in cyberattacks.

NIS2 encompasses three changes when compared to NIS:

1. Increasing the number of sectors covered by NIS2

Under the current Directive, adopted in 2016 and transposed by the EU Member States on 9 May 2018, operators of essential services (e.g. banks, healthcare providers and providers of drinking water and energy) and digital service providers (e.g. providers of cloud services and online marketplaces) are already obliged to improve their digital security to report cyber incidents.

NIS2 extends the scope of NIS by adding new sectors, such as telecom, social media platforms and public administration (i.e. entities of central and provincial governments). Entities falling within the NIS2's scope will be classified into two categories: operators of essential services and important entities. The operators of essential services, mainly consisting of entities operating in key sectors (including healthcare, energy and transport sector), will be proactively supervised. The important entities (including digital providers, manufacturers of certain critical products and postal and courier servicers) will be subject to a reactive supervisory regime, whereby supervision is triggered by indications of an incident. The important entities concern mostly medium-sized and large entities, where a potential disruption of services would not have serious societal or economic consequences.

Furthermore, NIS2 establishes that all medium-sized (i.e. entities with fewer than 250 employees and have an annual turnover not exceeding EUR 50 million and/or an annual balance sheet total not exceeding EUR 43 million) and large entities active in the sectors covered by the NIS2 framework are required to comply with the proposed security rules. NIS2 also removes the possibility for Member States to tailor the requirements in certain cases.

2. Strengthening security requirements

NIS2 includes a list of seven elements that all companies must address or implement as part of the security measures they take, including risk analysis and information system security policies, incident response, business continuity and crisis management, supply chain security, assessment of effectiveness of risk management measures, and encryption and vulnerability disclosure.

The proposal envisages a two-stage approach to incident reporting. Affected companies must submit an initial report within 24 hours from when they first become aware of an incident, followed by a final report within one month.

Regarding enforcement, NIS2 establishes a minimum list of administrative sanctions that can be applied when entities breach the rules regarding cybersecurity risk management or their reporting obligations under the NIS Directive. These sanctions include binding instructions, an order to implement the recommendations of a security audit and an order to bring security measures in line with NIS requirements. NIS2 also establishes administrative fines up to EUR 10 million or 2% of the entities' total turnover worldwide, whichever is higher.

3. Improving cooperation at EU level and the collective capability to prepare and respond

NIS2 includes rules on (i) measures to increase the level of trust between competent authorities, (ii) information sharing between competent authorities, and (iii) procedures in the event of a large-scale incident or crisis. Furthermore, an EU Cyber Crisis Liaison Organisation Network (EU-CyCLONe) was established, which supports the coordinated management of EU-wide cybersecurity incidents. The revised Directive will also establish an EU crisis management framework, requiring Member States to adopt a plan and designate national competent authorities responsible for responding to cybersecurity incidents and crises at the EU level.

Following the vote in the European Parliament, the new NIS2 Directive is expected to be published this autumn and implemented into national legislation before mid-2024. You can read the Commission's NIS2 proposal here. For more information on data protection and cybersecurity developments at national and EU level, you can refer to our previous news update here.