Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS 2) came into force on 16 January 2023. By 17 October 2024, Member States must adopt and publicise measures to comply with the Directive. NIS 2 will apply to a broad range of businesses which provide their services, or carry out their activities in the EU even if they are not based in a Member State. So what does this mean for you?
Use our NIS flow chart to see if NIS 2 applies to you. Note that digital infrastructure is classified as a highly critical sector and digital providers come within a critical sector. This catches (amongst others) cloud computing service providers, online marketplaces, search engines, social network platforms and data centre providers.
If you think NIS 2 applies to your business, here are 5 key things you need to do.
1. Determine where your main establishment is for NIS 2 purposes
By 17 October 2024 you need to determine whether you fall into any of the following categories:
- Domain Name Systems service provider
- Top Level Domain name registry or entity providing domain name registration services
- Cloud computing service provider
- Data centre service provider
- Content delivery network provider
- Managed service provider
- Managed security service provider
- Provider of online marketplaces
- Provider of online search engines
- Provider of social networking services platforms
Businesses in these categories will fall under the jurisdiction of the Member State in which they have their main establishment in the EU. This means where decisions relating to cybersecurity risk management measures are predominantly taken. If such decisions are taken outside the EU, the main establishment shall be the Member State where cybersecurity operations are carried out. If this can’t be determined, it will be the Member State where the entity has the highest number of employees in the Union. If an entity is not established in the EU but offers services there, it will need to designate a representative who is established in one of the Member States where services are offered.
Providers of electronic communications networks and publicly available electronics communications services based outside the EU but providing services there will come under the jurisdiction of the Member State (or States) in which they provide services. Unlike the businesses above, providers of electronic communications networks and publicly available electronics communications services do not need to designate a representative in the EU. They do, however, need to comply with the requirements below.
2. Track upcoming cybersecurity risk management measures
Having worked out which Member State (or States) has jurisdiction over your business for NIS 2 purposes, you will need to track what cybersecurity risk management measures they put in place to comply with the Directive.
The measures will be adopted and published by 17 October 2024, so the detail is not yet available, however, NIS 2 takes an “all-hazards” approach that aims to protect network and information systems and the physical environment from incidents. Article 21 of NIS 2 states the measures shall include:
- Policies on risk analysis and information system security
- Incident handling
- Business continuity e.g. backup management, disaster recovery and crisis management
- Supply chain security
- Security in network and information systems acquisition, development and maintenance, including vulnerability handling
- Procedures to assess the effectiveness of cybersecurity risk management measures
- Cyber hygiene practices and cybersecurity training
- Policies on the use of cryptography and encryption
- Human resources security and access control policies
- The use of multi-factor authentication and secured communications systems
Your management body must approve your cybersecurity risk management measures, oversee their implementation, and undertake appropriate cybersecurity training. Management can be liable for infringements, so take these obligations seriously and get your cybersecurity house in order before autumn 2024.
3. Get ready to provide information to the competent authority
Member States must adopt a national cybersecurity strategy and designate or establish competent national authorities with cyber crisis management and computer security incident response teams (CSIRT). If you fall in the scope of NIS 2, you will need to provide the relevant competent authority with detailed information by 17 January 2025.
This information includes your sector, subsector and type, including whether you are in a critical sector, along with details of the Member States where you provide services. Any changes to the information will need to be reported without delay and in any event within three months of the change. Keep this on your radar for future reporting obligations and consider adding cybersecurity as a regular agenda item at management meetings to help plan compliance.
4. Be aware of future reporting requirements
When the CSIRT and competent authorities are established, you must notify them, without undue delay, of any incident having a significant impact on the provision of your services. An incident is widely defined as “any event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems” (Article 23(3) NIS 2).
You should also notify, without undue delay, the recipients of your services of incidents that are likely to adversely affect the provision of the service and advise them of any measures they can take in response to a significant cyber threat. Consider who will be responsible for reporting incidents in your business and update your incident response plan accordingly.
5. Note the timings for reporting incidents
The timings of the reporting obligations will be tight:
- Early warnings must be filed without undue delay and within 24 hours of becoming aware of an incident
- Incident notifications must be filed without undue delay and within 72 hours of becoming aware of an incident
- An intermediate report may be requested by the CSIRT or competent authority
- Final reports must be filed within one month of the incident notification
Factor these deadlines in to your internal reporting processes.
Is NIS 2 more stringent for businesses?
All businesses that were subject to the Cybersecurity Directive 2016/1148 (NIS 1) will also be affected by NIS 2, but the scope of NIS 2 has been widened to include a broader range of technology businesses such as social network platforms and data centre providers. Unlike its predecessor, NIS 2 requires management to approve cybersecurity risk management measures and holds them to account, via potential liability, for non-compliance.
NIS 2 also has stricter enforcement measures. Depending on the nature of the entity, penalties for non-compliance can be up to €10m or 2% of the organisation’s worldwide turnover, whichever is higher. These sanctions mean businesses should take their cybersecurity measures seriously, but this is against a backdrop of more frequent cyberattacks and ransomware demands, so management focus on cybersecurity can only help build resilience to such attacks.
What about the cost of cybersecurity measures? Under NIS 2 entities must “take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations, or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services. Taking into account the state of the art and, where applicable, relevant European and international standards, as well as the cost of implementation”. This latter factor will be a relief to businesses as cost considerations were not part of NIS 1. Compliance with standards such as ISO certifications may help towards compliance with NIS 2. So businesses working towards these standards or renewing certifications may be ahead of the curve.
Ultimately NIS 2 is aimed at harmonising minimum standards of cybersecurity across the EU and ensuring cooperation between relevant national authorities. Speaking of harmonisation, the UK has announced that it will be reforming national legislation that previously transposed NIS 1 into UK law. The proposed reformations are not as wide ranging as NIS 2. So when NIS 2 comes into force, the minimum cybersecurity requirements and incident notifications will differ at UK level and under the EU rules. So organisations that come within the scope of NIS 2 will need to comply with two different cybersecurity regimes. If nothing else this demonstrates the importance of cybersecurity in the digital age and the fact that it should be high on the management agenda.