NIS2, the Directive on measures for a high common level of cybersecurity across the Union, is a response to increasingly serious digital threats and strengthens the protection of critical sectors of the economy against cybercrime and covers all Member States.
Key changes include:
- Extending the range of covered entities
- Defining minimum security requirements
- Strengthening requirements and penalties for incidents
- Imposing supply chain security obligations
Member States have until 17 October 2024 to bring their national legislation into line with NIS2. The new regulations will come into force one day later, on 18 October. The Ministry of Digital Affairs plans to adopt the relevant act in the third quarter of 2024.
How to prepare for NIS2 obligations
The NIS2 brings with it a number of obligations to ensure cybersecurity, risk management and incident reporting.
However, the first step should be to assess internally whether the company concerned is subject to the obligations imposed by NIS2, based on the relevant criteria.
The NIS2 will cover medium-sized or large enterprises (with at least 50 employees and an annual turnover and/or annual balance sheet total of more than EUR 10 million) that operate in the following sectors:
- Sectors of high criticality: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space
- Other critical sectors: postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers, research
In addition, the NIS2 regulations may cover small enterprises and microenterprises if they play a key role for society, the economy or for specific sectors or types of services.
NIS2 responsibilities, procedures and standards
If the above criteria are met, certain requirements must be met in terms of:
- Risk management: Entities must implement appropriate technical and organisational measures to protect their networks and systems from cyber threats
- Incident reporting: There is an obligation to promptly report significant incidents to the competent authorities and to inform customers of potential threats
- Threat analysis: Regular risk assessments are required to identify and respond to emerging threats
- Cooperation with authorities: Entities must actively participate in the exchange of information on threats
- Training: Employees and managers should receive regular cybersecurity awareness training
Importantly, NIS2 also sets out the responsibilities of management boards. Indeed, the management bodies of essential and important entities should approve cybersecurity risk-management measures and oversee their implementation.
Their members, meanwhile, will be required to undergo regular training to acquire the knowledge and skills to identify risks and assess cyber threat management practices and their impact on the services the organisation provides. They will also have to offer similar training to their staff.
Powers of supervisory authorities and associated penalties
The NIS2 gives supervisory authorities a range of powers to monitor implementation and enforce the new rules.
These include carrying out audits, requiring entities to provide necessary information, recommending or ordering entities to ensure compliance with the Directive, ordering them to cease a particular conduct or to implement audit recommendations. In the case of essential entities, if the above measures are ineffective the authorities may temporarily suspend a certification or authorisation for services or activities, or temporarily prohibit the exercise of managerial functions in the entity concerned.
Financial penalties for non-compliance will also be increased:
- For essential entities, up to EUR 10 million or 2 % of total annual turnover
- For important entities, up to EUR 7 million or 1.4 % of total annual turnover
The NIS2 Directive represents a major change in the approach to cybersecurity in the European Union.
It is fair to say that it will substantially change the level of awareness in many sectors. For some organisations, implementing its requirements may prove to be quite a challenge and in line with this, we encourage you to contact us now – we will be happy to help you through the process.
Any questions? Contact us
