NIS 2: A Sequel Worth Watching

Cybersecurity risk management and reporting obligations rules in Europe are about to change significantly. The new Directive on measures for a high common level of cybersecurity across the EU (“NIS 2”) is set to require EU Member States to transpose into national law new provisions which will impose stricter cybersecurity risk management requirements on more organizations, and introduce tougher supervisory and enforcement measures.

The Council of the EU and European Parliament recently reached a provisional agreement on NIS 2, which was first proposed by the EU Commission in December 2020. Once formally adopted, NIS 2 will replace the current Directive (EU) 2016/1148 on security of network and information systems (“NIS 1”).

Among other things, NIS 2 will set the baseline for cybersecurity risk management measures and reporting obligations across all covered sectors, which includes energy, transport, chemical manufacturing, production and distribution, postal and courier services, healthcare, and digital infrastructure.

NIS 2 forms part of the EU’s wider effort to better protect critical national infrastructure from cybersecurity threats, including the heightened risk and critical vulnerabilities associated with networking and information systems, and digital supply chains.

What are the key changes?

Although the final draft text has not been published yet, we set out below the key changes proposed.

Broader scope

NIS 2 reclassifies the existing distinction between “operators of essential services” and “digital service providers,” increases the number of regulated sectors, and significantly expands the types of organizations that fall within these sectors.

New sectors and services which are now within scope include, among others, manufacturers of certain critical products (for example, pharmaceuticals, medical devices, and chemicals), postal and courier services, and digital services (for example, social networking platforms and data center services).

Organizations will also be classified based on their importance, and divided respectively into “essential” and “important” categories. Essential and important entities will be subject to the same cybersecurity management and reporting requirements. However, different supervisory and penalty regimes will apply to each (as explained below).

Furthermore, NIS 2 broadens the extraterritorial effect already in place under NIS 1. While NIS 1 already has some extraterritorial reach in that it applies to non-EEA “digital service providers” that offer services in the EEA (but not to non-EEA “operators of essential services”), NIS 2 will generalize this extraterritorial scope to all covered entities.

Stricter cybersecurity risk management

NIS 2 will strengthen cybersecurity requirements imposed on organizations by:

• Providing a minimum list of basic technical and organizational measures which must be applied. For example, organizations will be expected to implement policies regarding information system security, incident response, and the use of cryptography and encryption, among other things. NIS 2 provides that the measures imposed on important entities may be less stringent than those imposed on essential entities;
• Requiring organizations to address cybersecurity risks in supply chains and supplier relationships. For example, organizations will be expected to identify any specific supplier vulnerabilities or issues with suppliers’ products; and
• Introducing governance and accountability obligations on organizations’ management bodies (which in many cases will be an organization’s board). Management bodies will need to approve cybersecurity risk measures and supervise their implementation, and may be held accountable for non-compliance.

Reporting obligations

Reporting obligations will be expanded in respect of what must be reported, to whom, and the precise timeframe for doing so.

With regard to reporting obligations, the generalized reporting obligation in NIS 1 is replaced with a streamlined tiered plan in NIS 2. Incidents having a significant impact on services will have to be reported to the relevant supervisory authorities (i) within 24 hours at the latest (initial notification), (ii) upon request of the supervisory authorities (intermediate report), and (iii) no later than one month after the initial notification (final report).

In addition, “where appropriate,” such organizations will need to notify, without undue delay, recipients of their services of any incidents likely to adversely affect the provision of the relevant service.

In the event of a “significant cyber threat” (i.e., those threats which could have potentially resulted in a significant incident affecting relevant services), organizations will need to notify, without undue delay, recipients of their services of any measures or remedies that those recipients can take in response to that threat and, “where appropriate,” the threat itself.  Notably, following concerns raised by EU Member States regarding the overburdening of covered entities and potential overreporting, NIS 2 will not mandate the reporting of such threats to supervisory authorities.

Supervision and enforcement

NIS 2 will introduce more stringent supervisory measures for authorities, including higher fines (set at the EU level) for breach of the cybersecurity risk management and stricter reporting obligations.

For important entities, supervisory authorities will only assess compliance after there is evidence or indication of non-compliance. In contrast, for essential entities, supervisory authorities will be able to assess compliance (including by conducting inspections and audits, and making information requests) at any time.

Different penalty regimes will apply to important and essential entities.  For example, essential entities could be subject to maximum fines of at least EUR 4 million or 2% of global turnover (whichever is higher). Reports have also been made that suggest that the final NIS 2 framework will provide for even higher maximum fine levels. In any event, the new maximum fine levels are expected to be much higher than many of the existing thresholds set by EU Member States under NIS 1. For example, in Ireland, the maximum fine which can be imposed under the NIS 1 regime is €500,000 for organizations.

What’s next?

The provisional agreement is now subject to approval by the Council of the EU and European Parliament (which is often seen as a formality once there is political consensus) and is expected to take place within the coming months. The NIS 2 framework, being a Directive (rather than a Regulation), means that EU Member States will still have to transpose the NIS 2 requirements into their national laws in order for them to have legal effect. Once NIS 2 has been adopted, EU Member States will have 21 months thereafter to incorporate the provisions into their national law. However, EU Member States may well introduce national implementing laws ahead of the deadline, as some of them did with NIS 1.