NIS 2 Directive: a key update for cybersecurity in the EU

Although digital transformation has brought multiple benefits in terms of efficiency and productivity, it has also opened the door to new cybersecurity challenges. Cyberattacks and threats on networks and information systems are becoming more and more frequent, mainly targeting sectors that handle valuable and sensitive data, such as the healthcare sector. 

A ransomware attack suffered by a renowned Spanish medical insurance company in September 2020 kept the company's digital systems offline for at least a month. The Covid-19 pandemic has exacerbated this situation by increasing exposure to and dependence on new technologies, which has lead to greater vulnerability and an increase in opportunities for a cyberattack. This new reality in an interdependent and connected system requires a coordinated response from all Member States to ensure the robustness and security of the EU systems as a whole.

The previous Directive (EU) 2016/1148, known as the Network and Information Systems (NIS) 1 Directive, aimed to create a common framework for cybersecurity across the EU. However, its revision revealed that the obligations were being implemented differently in each Member State, with harmful effects on the internal market. These differences, which translate into greater vulnerability to cyberattacks in some Member States, create security gaps and compromise the overall integrity of the Union's networks and information systems.

In response to this situation, in a context of geopolitical instability where the use of asymmetric warfare tactics such as cyberattacks has become widespread, the European Union has taken a step forward and has approved the NIS 2 Directive (Directive (EU) 2022/2555). This regulation, which was published in the Official Journal of the European Union on 27 December 2022, replaces the NIS 1 Directive.

Its main objective is to put an end to the differences between Member States by defining common minimum requirements and establishing mechanisms that ensure effective cooperation between their authorities. The provisions of the directive will be mandatory as of 17 October 2024, and will require an update of the Spanish legislation in this matter, which is currently contained in Royal Decree-Law 12/2018 and its implementing regulations, Royal Decree 43/2021.

Scope of application

The NIS 2 Directive significantly extends the list of sectors within the scope of the regulation and provides more information on the entities that must be subject to the cybersecurity requirements. This regulation will be mandatory for any entity with more than 250 employees and an annual turnover exceeding €50 million or an annual balance sheet exceeding €43 million or both. In special circumstances and for particularly compromised sectors, entities must comply with the NIS 2 Directive regardless of the size of the company, as is the case, among others, for providers of public electronic communications networks or of publicly available electronic communications services or when the disruption of the service could have significant implications in the field of public health. 

Furthermore, the classification of these entities as "essential" or "important" (for example, entities carrying out research and development activities of medicinal products and medical devices, digital providers, energy providers, entities dedicated to the production, transformation, and distribution of food, etc.) will depend on each Member State. Although both groups must comply with the same obligations, the classification as an essential entity is subject to stricter supervision. 

Cybersecurity measures

The regulation introduces a set of mandatory measures that each entity must address to prevent cybersecurity incidents. This includes, among others, policies on risk analysis and information system security, cyber hygiene practices, cybersecurity training, and multi-factor and continuous authentication solutions. 

Similarly, new requirements are introduced regarding privacy, such as the obligation to report infringements that entail a personal data security breach in accordance with the General Data Protection Regulation. Additionally, cybersecurity measures applicable to both Member States and essential and important entities are strengthened, with Member States being responsible for enforcing compliance with these provisions by the entities and, consequently, for taking appropriate supervisory and sanctioning action in the event of non-compliance by such entities.

Responsibility of management bodies

Although the text does not indicate what should be understood as a management body of essential and important entities, it does regulate the obligation of these bodies to approve and supervise cybersecurity measures. 

Moreover, this directive attributes responsibility to said bodies in the event of non-compliance with the legislation. In this regard and with the aim of ensuring that employees of the companies subject to the regulation acquire knowledge on risk prevention in the field of cybersecurity, the NIS 2 Directive obliges the members of management bodies to attend training sessions on cybersecurity risk prevention and to pass this information and knowledge on to their employees.

Enforcement measures

Member States must implement systems that provide for effective, proportionate, and dissuasive sanctions. Fines for non-compliance can reach 2% of the organization's annual turnover or €10 million − whichever is greater − for essential entities, and up to 1.4% of the organisation's annual turnover or 7 million euros for important entities.

Reporting obligations and timelines

While the obligations to report incidents were already regulated under NIS 1 Directive, the new directive clarifies the scope of these obligations with more specific provisions regarding the reporting process, content, and timelines. In particular, affected entities must submit an initial assessment on an incident to their computer security incident response team (CSIRT) or, where applicable, to the competent authority within 24 hours of becoming aware of the incidents and provide a final update within a month of the initial notification. Also, regarding public awareness, the text regulates that when it is necessary to notify the public to prevent or deal with an ongoing significant incident, or for public interest, both the national or third-country CSIRT and competent authorities may take the initiative to inform the public about the incident, after having consulted with the affected entity, or even require the affected entity to do so.

Use of artificial intelligence

One of the most novel aspects of this directive is the requirement for Member States to promote the use of innovative technologies, including artificial intelligence, to improve the detection and prevention of cyber-attacks, which would allow for a more efficient and effective allocation of resources to combat these threats.

The healthcare sector

The widespread use of electronic records, health applications and portable devices in the healthcare sector involves the processing of vast amounts of highly sensitive personal health data. While these information systems are essential to the current functioning of healthcare organisations and have significantly improved the diagnosis and treatment of diseases, any disruption or compromise of these systems can have serious consequences for both patient health and privacy. 

The value attributed to these categories of personal data has considerably increased the risk of these organisations to be targets of cyberattacks. The European Union Agency for Cybersecurity (ENISA) has carried out a study aimed at understanding the current state and development of the CSIRT in the healthcare sector in the EU. The ENISA report concluded that 73% of the Member States consider that creating groups or forums to share information and best practices related to cybersecurity incidents in the healthcare sector should be supported. This is to ensure that healthcare organisations have access to up-to-date information on the latest cyber threats and can take appropriate measures to protect their information systems. The EU is making progress in this regard, as evidenced by the NIS 2 Directive, which establishes a framework for cooperation between EU Member States to share this type of information.

Since the approval of this regulation, the CSIRTs have played an important role in the EU, and in relation to the health sector, healthcare CSIRTs together with institutions, such as the Health Information Sharing and Analysis Center (H-ISAC), are facilitating the transfer of knowledge at an international level through seminars, workshops, working documents and educational summits. H-ISAC and others are aiming to be more proactive when it comes to potential cybersecurity incidents and thus helping to improve cybersecurity and the resilience of information systems in the healthcare sector throughout the EU.

Osborne Clarke comment

This directive represents a further step towards harmonisation of cybersecurity legislation at European level and calls for governments, businesses and citizens to be better prepared to prevent cyber-attacks. Prevention is the cornerstone for fighting against cybercrime, and the fact that current legislation obliges to adopt a higher level of protection is undoubtedly good news in particular for sensitive and threatened sectors, such as healthcare.