NIS2

#NIS2 #NIS2directive

In January 2023, the European Union adopted a new version of the Network and Information Security Directive. This “NIS2” aims to get the EU up to speed and establish a higher level of cybersecurity and resilience within organizations of the European Union.

EU member states will have to transpose NIS2 into their national legislation by October 17, 2024. As such, Directive (EU) 2016/1148 (the NIS Directive) is repealed with effect from 18 October 2024.

By 17 October 2024, the Commission shall adopt implementing acts laying down the technical and the methodological requirements of the measures with regard to DNS service providers, TLD name registries, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.

By 17 April 2025 and every two years thereafter, the competent authorities shall notify the Commission and the Cooperation Group of the number of essential and important entities for each sector.

Essential and important entities

NIS2 defines two categories for entities in scope:

• essential : energy, health, transport, finance, water supply, digital infrastructure, public administration and space and

• important: digital providers, manufacturing, postal service (post and courier), waste management, foods, chemicals and research.

Essential entities will be required to meet supervisory requirements as of the introduction of NIS2, while the important entities will be subject to ex-post supervision, meaning that in case authorities receive evidence of non-compliance, action is taken.

Important note for Non-EU entities: Under Article 26 (Jurisdiction and territoriality), if an entity is not established in the EU, but offers services within the EU, it shall designate a representative in the EU. The representative shall be established in one of those Member States where the services are offered. Such an entity shall be considered to fall under the jurisdiction of the Member State where the representative is established. In the absence of a representative, any Member State in which the entity provides services may take legal actions against the entity for the infringement of NIS2 Directive.

Entities registration

By April 17, 2025, the Member States must identify the essential and important entities in scope for the NIS2 Directive. Member States can enable entities to register themselves. Therefore, entities will have to determine if their services fall within the scope of NIS2, identify the list of Member States where they provide “in-scope” services and register before the deadline in each Member State.

The registration will require entities to provide at least the following:

• Their name, address and registration number

• The sector or sub-sector in NIS2 scope under which they fall

• Their updated contact details

• Member states in which they operate

• The list of their assigned IP addresses

Because the focus is on key supply chains even if your entity is not in scope of NIS2, it might still have an impact depending on the services and sector. The client will supervise you regarding NIS2.

Accountability of the management

Another important addition is the accountability for the management of entities in scope of NIS2. It will be obligatory for management to take responsibility regarding their cybersecurity maturity. This will include having risk assessments conducted and approving risk treatment plans to be implemented, among other tasks. In order to perform these actions, management must follow cybersecurity training. The Directive even suggests not only to train management, but also employees, for more in-depth knowledge of cybersecurity.

Jurisdiction

If the entity provides services in more than one Member State, it should fall under the jurisdiction of each of these Member States. For entities where the service is provided or is dependent on operations outside the EU, they should ensure the continuity of their EU services in case of disruption of their non-EU operations.

Penalties

NIS2 introduces stricter penalties for non-compliance, including fines of up to 10% of an entity's annual turnover. For essential entities: administrative fines of up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher. For important entities: administrative fines of up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the important entity belongs, whichever amount is higher.