What EU businesses need to know about NIS2 and cybersecurity compliance
Published on 21st Dec 2023
Organisations need to get prepared as the revised directive's national implementation deadline nears in 10 months' time
The revised Network and Information Systems Directive, or NIS2, which entered into force on 16 January 2023 and replaced the Network and Information Systems Directive (NIS1), aims to eliminate divergences in implementing the repealed NIS1.
The updated directive addresses an increasingly digital world in which cybersecurity has become a paramount concern: as technology evolves, so do threats and this makes it crucial for organisations to strengthen their cyber security defences and ensure compliance with evolving regulations.
NIS2 represents a significant step forward in bolstering cybersecurity resilience across the European Union (EU). With its broader scope, risk-based approach and emphasis on supply chain security, NIS2 acknowledges this evolving threat and the critical role of essential services and digital infrastructure.
The 21-month implementation period for NIS2 to be incorporated into national legislation started on 16 January 2023, during which NIS2 must be incorporated into national legislation. EU Member States have until 17 October 2024 to transpose the directive into their national laws. What progress has been made among the Member States?
- The Netherlands
In the Netherlands, it was announced that a draft implementation act of NIS2 will become available sometime in the first quarter of 2024. After publication of the draft act, an internet consultation period of six weeks will start, allowing citizens, organisations, and government institutions to comment on the draft and suggest possible improvements.
In addition, the Dutch government published a tool on its website, allowing organisations to determine whether NIS2 applies to their organisation, their organisation is an ''essential'' or ''important'' entity; and whether their organisation falls under Dutch supervision.
The tool also provides information on each category of sectors-subsectors and entities to which NIS2 may apply. Although most information included in the tool is already set out in the annexes of NIS2, it does provide additional information that may be useful to determine if and how NIS2 will impact an organisation.
The Dutch government confirmed in a recent letter that all tiers of government will be designated as essential entities under the NIS2 implementation act. This includes independent administrative bodies and regional authorities, such as autonomous administrative authorities (zelfstandige bestuursorganen). Government organisations belonging to the judiciary, parliament and the central bank will not fall within the scope of the NIS2 implementation act.
The Dutch government advises organisations to start implementing measures relating to cybersecurity and NIS2.
The Federal Ministry of the Interior has published two versions of a draft bill for implementing NIS2 into German law. The latest Implementation Act draft published in July proposes changes to several German legal acts.
At its centre are new versions of the Act on the Federal Office for Information Security – the BSI Act – and several administrative regulations (Verordnungen) that further specify the BSI Act (the administrative regulations and BSI Act already serve to implement the NIS1 guideline). For sections of the new draft of the BSI Act, the Ministry of the Interior published an informal discussion paper in September 2023.
Judging from the current Implementation Act, it seems that the German lawmaker will choose to implement NIS2 stricter than the guidelines itself requires (that is, beyond minimum harmonisation).
Germany will widen the scope of regulated entities as compared to NIS2; so far, Germany has identified NIS1-regulated entities based on whether they supply around 500,000 people in Germany with “critical” services. It regulated more entities than required under NIS1.
With NIS2, some of those formerly regulated entities in Germany could theoretically fall out of the regulation. However, the current German drafts introduce a third category additional to the “essential” and “important” entities regulated under NIS2. In this category, the drafts plan to continue regulating former “critical infrastructures”. More entities would fall into the scope of IT-security obligations in Germany than the NIS2-scope requires.
The current drafts enable the Ministry of the Interior to require mandatory cybersecurity certifications for certain services. NIS2 only enables, but does not require Member States to introduce mandatory certifications.
The German implementation will contain a requirement for the third category of entities (“critical facilities”) to provide the Federal Office on Information Security with suitable evidence of its appropriate technical and organisational IT security measures every three years.
However, the Implementation Act Draft may still be changed significantly. It is currently in an early stage of the lawmaking process as an internal document undergoing discussions within relevant ministries (Referentenentwurf). It has not yet been endorsed by the federal government and brought to Parliament as an official draft, which would start the formal legislative procedure. Even after the Implementation Act is passed, the BSI Act will remain abstract. The Ministry of the Interior will have to specify important in several administrative regulations (Verordnungen) the details of the new BSI Act once it has come into force.
The French National Agency for the Security of Information Systems (ANSSI) is in charge of NIS2 in France. The ANSSI has indicated that the French transposition bill is still being drafted and, to meet the deadline of 17 October 2024, it launched consultations with stakeholders in the second half of 2023. The ANSSI insisted on the terms of "co-construction" with stakeholders concerning the implementation of security measures and has looked to discuss methods, timing, assumptions mechanisms and more.
The ANSSI has indicated that businesses that are already regulated by NIS1 should continue their efforts to get ready while new entities can start to prepare by consulting the guides already available on its website where it has a dedicated NIS2 page with a Q&A. The guidelines stem from general EU recommendations and concern IT governance, protection and resilience.
Italy will implement NIS2 by legislative decree adopted by the government, which will be empowered by Parliament via delegation law. On 27 July 2023, a new draft named European Delegation Law 2022-2023 was tabled before Parliament.
The draft mentions criteria for the government to follow when adopting the legislative decree. These include parameters for identifying public entities that are subject to the NIS2 and specific public and private entities providing services for public entities in sectors exempted from the application of the NIS2. They also include mechanisms for registering “important” or “essential” entities, and the competencies of the Agency for Digital Italy and of the National Cybersecurity Agency.
As the draft is still being discussed, the criteria could be amended. The government should adopt the legislative decree before 17 June 2024, unless the delegation law enters into force after that date. At this very early stage, it cannot be excluded that the actual implementation of NIS2 might take place after 17 October 2024.
Although NIS2 should also be implemented in Spain by 17 October 2024, currently there are no drafted legislative bills or official guidance documents on transposition of the directive. This transposition process is still in its very preliminary stages and specific details on the timeline and enactment are pending further legislative developments.
In Poland, legislative work has been carried out in recent years on the amendment of the National Cyber Security System (NCSS) Act, which is the Polish implementation of NIS1.
The amendment also considers some of the requirements and solutions introduced in NIS2. However, full implementation will not take place until the next iteration of the NCSS Act that is scheduled for the end of 2024. The draft, along with other pieces of new technology legislation, has now been withdrawn from further consideration. This is likely to be linked to the parliamentary elections in Poland that took place on 15 October 2023.
The implementation of NIS2 is at a standstill but is expected to resume in the new term of the Polish Parliament, the Sejm, in early 2024.
Led by the Centre for Cybersecurity Belgium (CCB), Belgian authorities have presented a draft law that establishes a framework for NIS2 and an implementing royal decree to transpose the directive. The proposals have already received initial approval from the Belgian Council of Ministers and will undergo further review by the Council of State and the Belgian Data Protection Authority. Additionally, the prime minister has instructed the CCB to organise a public consultation on the preliminary draft for the law, along with its accompanying draft-implementing royal decree. The CCB has published the draft explanatory memorandum, with the consultation closing for comment on 21 of December 2023.
Sweden converted the NIS1 into its own legislation in 2018 through "Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster". NIS2 is in the process of being implemented into Swedish legislation. On 23 February 2023, the Swedish government appointed a special investigator within the Ministry of Defence to propose the adaptations of Swedish law that are necessary for the directive's implementation.
The special investigator will report to the Swedish government by 23 February 2024. The investigator will propose how the identification of and requirements for entities covered by NIS2 must be regulated, as well as how the roles will be distributed between Swedish authorities with reference to duties and responsibilities provided in NIS2.
Analysis will also be undertaken on how NIS2 should work alongside the Swedish security protection regulation and changes proposed to achieve a more coherent system between the regulations. The investigator will consider the need for a stronger and more comprehensive protection of the confidentiality of data that may be processed pursuant to NIS2, and submit proposals for necessary constitutional amendments.
There have been no further updates on the implementation status of NIS2 ahead of the special investigator's report in February.
NIS2 improves NIS1
NIS2 introduces important changes and improvements to NIS1. It is broader in scope and has a risk-based approach. It emphasises supply-chain security and introduces stricter incident reporting and management liability for failing to comply with cybersecurity requirements under NIS2. It also strengthens national regulatory oversight.
While NIS1 primarily focused on the security of network and information systems for essential and vital services, NIS2 extends the scope to organisations such as in the water supply and distribution sector (for example, wastewater operators), food production services, and digital services such as cloud computing. Moreover, governments can designate micro or small organisations, such as services that are of vital importance to the national economy or society.
NIS2 adopts a more risk-based approach to cybersecurity, requiring organisations to assess and manage risks effectively rather than adhering to one-size-fits-all security measures. It requires essential and important entities to at least implement:
- Procedures for incident handling.
- Procedures for backup management and crisis management.
- The use of multi-factor authentication.
- Policies on risk analysis and information system security.
- Policies and procedures for the use of cryptography and encryption.
Supply chain security
NIS2 emphasises the importance of supply chain security, obligating businesses to ensure the security of their digital supply chains and assess the cybersecurity of their suppliers.
Entities that fall under the scope of NIS2 must put in place appropriate and proportionate technical, organisational and operational measures to ensure supply chain security.
Stricter incident reporting requirements include shorter deadlines for serious incidents to competent authorities to ensure a swift response to cyber threats.
Entities must report all significant cybersecurity incidents to the designated national computer security incident response team or to the competent national authority (depending on how this is arranged under the national implementation acts).
Directors of organisations to which NIS2 applies can be held personally liable if they are found to have failed to take appropriate measures to ensure compliance with the cybersecurity requirements under the revised directive.
Liability may arise where directors are negligent in their duties regarding the security of network and information systems and this leads to significant incidents or breaches. It can also arise where directors do not ensure that their organisation complies with the specific obligations outlined in NIS2, such as risk assessments, incident reporting and cooperation with national authorities.
Personal liability typically only occurs in cases of serious negligence or intentional misconduct. Directors should, therefore, be diligent in overseeing their organisation's cybersecurity efforts and ensure compliance with NIS2 to minimise the risk of personal liability.
Stronger regulatory oversight
The directive empowers national regulatory authorities with enhanced supervision and enforcement capabilities, ensuring that businesses comply with its provisions.
What businesses does NIS2 apply to?
NIS2 applies to a wide range of businesses and organisations and encompasses both public and private entities that operate within the EU, categorised as ''essential'' or ''important''.
Operators of essential services provide services that are essential for the maintenance of critical societal and economic activities. Essential entities are considered to have a more disruptive impact on the economy and society if their services fail compared to important entities.
An organisation is considered an essential entity if it is a large and operating in a sector set out in annex one of NIS2, such as energy, transport, healthcare and financial services. An organisation is large if it has a minimum of 250 employees or an annual turnover of more than €50 million and a balance sheet total of more than €43 million or both.
If organisations are designated as a critical entity under the Critical Entities Resilience Directive, they are automatically considered essential entities under NIS2 as well. These are medium-sized organisations that operate in sectors set out in annex one and has a minimum of 50 employees or an annual turnover and balance sheet total of more than €10 million or both.
Medium-sized and large organisations operating in a sector set out in annex two of NIS2 also qualify as important entities. These include, for instance, waste management, postal and courier services, and manufacturers of medical devices.
The Dutch government has published a tool for businesses to determine whether NIS2 applies to them and provides more information on categories of subsectors and entities. Other EU countries are expected to provide similar tools or guidelines in due course.
Compliance measures checklist
NIS2 compliance will not only be mandatory but also essential to mitigate cybersecurity risks effectively. The implementation process into national legislation is ongoing, but governments across the EU have advised businesses to take preparatory measure. What steps can businesses take?
|Conduct thorough risks assessments to identify vulnerabilities and threats specific to the organisation and draft and implement risk management strategies tailored to their business. Risk assessments should take into account digital risks that could disrupt business continuity, the interests that are most important to the business and measures already taken to protect those interests.
|Incident response plan
|Develop a robust incident response plan that outlines procedures for detecting, reporting, and mitigating cybersecurity incidents promptly.
|Supply chain security
|Evaluate the cybersecurity practices of suppliers and partners. Consider how to ensure that these meet the required security standards; for example, by amending current contracts, adding new cybersecurity related provisions in template agreements and implementing procedures for regular checks and audits). Consider diversifying supply chain to reduce single points of failure.
|Security by design
|Incorporate cybersecurity into the design and development of products and services. Implement security controls at every stage of the product lifecycle.
|Develop and implement training sessions for employees on cybersecurity best practices and create a culture of security awareness within the organisation.
|Keep abreast of developments regarding NIS2 and closely monitor draft NIS2 implementation acts. Where relevant and possible, you may want to provide input on those draft acts during consultation periods.
Osborne Clarke comment
Member States must transpose the NIS2 into local laws by 17 October 2024. Although this seems a long way off, we see that most Member States are taking steps to legislate implementation acts and issuing related guidance. However, since many Member States are behind schedule transposing the directive, it is likely that some will not meet the transposition deadline.
Organisations that foresee or suspect to fall under the scope of NIS2 or consider cybersecurity of utmost importance to their business would be wise to prepare well in advance. By conducting risk assessments, developing incident response plans and fostering a culture of cybersecurity awareness, organisations will be well on their way to meeting the new obligations.
If you have any questions regarding the NIS2, such as whether and how it will apply to your organisation, or if you would like us to keep you updated on new developments regarding NIS2, please contact one of our experts.
Elena Rossi, a trainee solicitor at Osborne Clarke, contributed to this Insight.