Image of transparent glass of RPC building.
  1. Home >
  2. Snapshots >
  3. Technology/Digital >
  4. >
  5. European Parliament adopts NIS 2 Directive

SHARE:

European Parliament adopts NIS 2 Directive

Published on 21 December 2022

What is the NIS 2 Directive and how will it impact the cybersecurity obligations of companies operating in the EU?

The question

What is the NIS 2 Directive and how will it impact the cybersecurity obligations of companies operating in the EU? 

The key takeaway

The European Parliament has adopted a new EU directive which will update minimum cybersecurity standards across the EU (NIS 2). Its aim is to: (i) cover essential and important entities in a variety of sectors and services; (ii) introduce wide-ranging cybersecurity risk management requirements; and (iii) impose sanctions on entities and responsible individuals in the event of non-compliance.

The background

The Network and Information Security Directive (NIS 1) was the first piece of EU legislation designed specifically to enhance cybersecurity capabilities across the EU. However, since the Directive was enacted in 2016, the digital transformation of society has resulted in new, and potentially more damaging, cyber threats. NIS 2 will repeal NIS 1 and impose stricter requirements on in-scope companies with a view to making the EU’s cybersecurity landscape more robust in response to these risks. 

The development

The main changes are as follows: 

  • a wider range of medium and large entities are covered (in various sectors), divided into those which are “essential” or “important”, with a different supervisory regime for each: essential digital entities include cloud providers and data centre providers. Important entities include online marketplaces, online search engines and social networking service platforms. 
  • managerial accountability: management bodies are ultimately responsible for their entity’s compliance. Member States are given broad scope to lay down penalties that include criminal offences, fines, and public naming-and-shaming of the individual concerned.
  • risk management: NIS 2 sets out 7 key elements that must be addressed in an entity’s cybersecurity risk management policies including incident response, supply chain security, encryption and vulnerability disclosure.
  • reporting: entities must notify their regulator of significant incidents including near misses. Initial notification should be made within 24 hours of becoming aware and entities will be required to give further updates as the threat is addressed.
  • enforcement: broad discretion is conferred on Member States to impose fines on non-compliant entities of at least €10m or up to 2% of total worldwide annual turnover (whichever is higher).

When does the NIS 2 Directive come into force?

The Council of the European Union formally adopted the new law on 28 November 2022. NIS 2 will enter into force 20 days after official publication and Member States will then have 21 months to implement it into national law. 

Why is this important?

Large, sophisticated digital providers will be familiar with, and will most likely already be implementing, the cybersecurity requirements set out in NIS 2. However, what will be news to many is the potential for massive, GDPR-like fines, as well as individual accountability, at a time when the question is not “will I suffer a cyber incident” but “when will I suffer a cyber incident?

Any practical tips?

Besides keeping an eye on the passage of NIS 2, in-scope companies would do well to monitor national regulators for any indication on how they plan to implement NIS 2 locally, especially the extent of the potential penalties. 

Companies should also assess their current cybersecurity policies against the NIS 2 requirements to gauge how much compliance will cost. Treasury teams should then review budgets and plan for increased spending in this area.

Winter 2022