The 2016 Network and Information Systems Directive (NIS) was EU wide legislation, which aimed to impose a common level of network and information system security across critical infrastructure within the EU Member States. However, this legislation left much up to Member States to determine, such as which entities come under its scope, the specific requirements, as well as enforcement and supervision measures. As a result, NIS had limited impact on protecting critical infrastructure. NIS2, which will be enforced from October 2024, updates the previous Directive providing more specific criteria and requirements to ensure a harmonised approach is taken across the EU. It will also bring into scope many more organisations from extended sectors. The most significant shift is the imposition of more stringent supervisory measures and harsher sanctions for non-compliance. This article will explore a few key changes, such as, the revised and expanded scope of sectors falling within its remit, the enhanced supervision and enforcement powers, the introduction of liability for senior management and the new obligations for incident reporting.
NIS2, which replaces NIS1, was passed to address the vast divergence in the level of enforcement across the EU that the former Directive allowed, as well as to respond to the increased number of cyber threats on critical infrastructure that the past few years has seen. Member States have until 17th October 2024 to transpose the Directive into national law. In some Member States, after its transposition the obligations are expected to take immediate effect.
Who is in-scope?
Where the previous Directive gave more discretion to Member States to determine the specific categories that come under its scope, NIS2 outlines all the specific sectors in-scope. Within these sectors there are many new additions such as, public administration, postal and courier services, food production and processing, and waste management services (to name a few). The increase of in-scope organisations is significant for example, where NIS1 impacted about 120 organisations in Ireland, NIS2 is expected to impact between 2,500 – 4,000 Irish entities.
Entities within remit of NIS2 will be classified as either Essential Entities or Important Entities and depending on which sector they fall into and their size. Organisations with between 50 and 249 personnel or more than 10 million in annual revenue will be classed as Medium Entities and, in most instances, fall into the category of Important Entities. Organisations with 250 personnel or over, or more than 50 million in annual revenue will be classed as Large Entities and, in most instances, fall into the category of Essential Entities. The Irish National Cyber Security Centre (NCSC) has produced a useful guide to help determine which categories organisations will fall into. Whilst the requirements for Essential and Important Entities remain largely the same, Essential Entities will face greater penalties and be under stricter supervision.
Incident Reporting Requirements
The previous Directive’s requirement on reporting incidents will be updated to include a phased approach to reporting. The previous 72-hour deadline has been replaced by the following reporting requirements:
- An early warning report within 24 hours of becoming aware of a significant incident;
- An initial notification within 72 hours of becoming aware of a significant incident, updating the initial report with an assessment of risk;
- Intermediate status reports and progress reports;
- A detailed final report within one month of the resolution of the incident.
Given the increased focus on threats to the supply chain there will also be a new requirement for organisations to report to service recipients, incidents that recipients may be impacted by, without undue delay. These tight deadlines mean that organisations need to be thoroughly prepared to respond to incidents. We recently provided some tips on incident response planning in a previous newsletter article which can help organisations prepare for meeting these deadlines.
Cybersecurity Risk Management & Management Responsibilities
Another significant shift in NIS2 is that management bodies, (e.g., Board members or top-level executives), will be expected to be fully informed and actively involved in the management of cyber-risks. Whilst the Directive requires a proportionate approach to managing risk, entities will be required to actively manage and monitor their cyber-risks with oversight from senior management. Management bodies will be expected to approve cyber-risk management activities and to allocate adequate resources. Furthermore, management bodies will be required to undertake sufficient training to ensure they are informed enough to oversee the area of cyber-risk. As well as ensuring that they have adequate skills and knowledge in this area, management bodies will also need to ensure regular training is provided to their staff too. All these activities will need to be evidenced, as it will be within the powers of the National Competent Authorities (NCAs) to request evidence that these obligations are being met.
Other, General Requirements
A high-level view of the requirements can be found in Article 21(2) of the Directive. None of these requirements will come as a surprise, they cover the usual key areas of information security such as: supply chain security, cryptographic controls and business continuity and disaster response measures, etc. Whilst the specific details on what is required will not be available till closer to the October 2024 deadline, the details in Article 21 do provide a baseline that in-scope organisations should be working towards in the interim.
Enforcement and penalties
Essential Entities will face ex-ante (or proactive) supervision, meaning that NCAs will actively engage with these organisations (through on-site inspections, audits etc.) to make sure that they are complying with the requirements. Important Entities, in contrast, are subject to ex-post (or reactive) supervision, meaning that they will be investigated by NCAs where there is evidence or information suggesting non-compliance. The enforcement powers granted to NCAs range from warnings being issued to orders to cease conduct, they also include measures such as making public, aspects of non-compliance. Additionally, NCAs will have the power to designate a monitoring officer to an entity to oversee compliance improvement. Unlike NIS1, the financial penalties which NCAs are able to issue under NIS2 are mandated in the Directive, reaching as high as €10million euro or up to 2% of worldwide turnover depending on the type of entity. Interestingly, senior management with responsibility for cybersecurity risk management may now also be personally impacted through their temporary suspension or receipt of an administrative fine. These are some of the minimum powers that must be granted to NCAs by Member States, the precise application of measures will be determined though the implementing legislation on a Member State level.
Organisations will have just under a year, to prepare for NIS2, and would be well advised to develop an implementation plan now, to allow appropriate time to prepare for its introduction. There are many areas which can be addressed ahead of the legislation such as the development or update of policies (covering areas such as incident response, business continuity, change management etc.), training of staff and management bodies and testing incident response processes. Organisations should also prioritise reviewing their cyber-risk management activities and ensuring governance structures are in place so that cyber-risk is an agenda item regularly reviewed by senior management.
Our data protection and cyber-risk service is currently working with organisations to help them prepare for NIS2, building upon our previous work with Operators of Essential Services subject to NIS1. We can design a NIS2 compliance roadmap for your organisation and assist in all the necessary steps, such as developing a cyber-risk management framework, conducting board level and staff cybersecurity training and running incident response preparedness workshops. If you would like to discuss our services for NIS2 compliance, please feel free to contact our advisers.