Cyber Security Update: NIS2 Directive On Cyber Security Adopted – Security

The NIS Directive (EU 2016/1148) was the first piece of EU-wide
legislation on cybersecurity. Now it’s expanded revision, the
NIS2 Directive (NIS2D), has finally been adopted and from
publication in the Official Journal, Member States will have 21
months to transpose it into national law. It is therefore expected
to enter into force sometime in 2024.

But what differs in NIS2D and how does it affect
organisations?

Background

The NIS2D is a response to the ever-growing cyber-attack
landscape within the EU and worldwide. It aims to ensure a high,
common level of cybersecurity across the EU. The NIS2D updates and
expands the scope of the pre-existing framework (the NIS Directive)
to include medium and large businesses from more critical sectors
(e.g. manufacturing of critical products (including medical device
manufacturers), postal and courier services, public administration,
digital services). The NIS2D will also put cybersecurity and breach
reporting obligations on operators of essential services and
digital service providers (e.g. online marketplaces, search engines
and cloud services).

Key Changes

• Broader Scope: it will apply to a broader
  scope of sectors and entities (excluding micro and small
  enterprises). The following sectors will be under the scope of the
  NIS2D:

• Management body oversight and accountability:
  it will impose direct obligations on “management bodies”
  concerning implementation and supervision of their
  organisation’s compliance with the legislation, leading to
  potential fines and temporary suspensions from discharging
  managerial functions including at C-Suite level. Notably, NIS2D
  specifically provides that C-Suite must follow “specific
  trainings, on a regular basis, to gain sufficient knowledge and
  skills in order to apprehend and assess cybersecurity risks and
  management practices and their impact on the operations of the
  entity”. It also grants wide supervisory powers of access and
  audit to the competent authority for entities that fall under the
  scope of NIS2D.




• Cyber Risk management measures: it requires
  entities subject to NIS2D to implement cyber risk management
  measures that are “appropriate and proportionate technical and
  organisational measures to manage the risks posed to the security
  of network and information systems which those entities use in the
  provision of their services.” NIS2D lists the measures which
  should be taken by entities, such as security policies, incident
  handling, business continuity and crisis management, supply chain
  security, policies and procedures to test effectiveness of cyber
  risk management procedures and the use of cryptography and
  encryption.




• Amended incident reporting requirements: NIS2D
  imposes notification obligations in phases, including an initial
  notification within 24 hours of becoming aware of any incidents
  having a significant impact on the provision of the company’s
  services or any significant cyber threat that those entities
  identify that could have potentially resulted in a significant
  incident (previously the NIS Directive only required without
  “undue delay”) followed by “intermediate” and
  “final” reporting obligations. It is unclear at this
  point who the competent authority in Ireland will be for such
  notifications, but it will likely be CSIRT-IE.




• Fines and penalties: Member States are granted
  discretion to set out effective, proportionate and dissuasive
  penalties for breaches of NIS2D, as well as administrative fines
  for certain breaches of up to EUR 10M or 2% of total worldwide
  turnover (whichever is higher).




• GDPR and NIS2D: where the competent authority
  under NIS2D becomes aware of an infringement by an entity of its
  obligations under Article 18 (risk management measures) or Article
  20 (reporting obligations) of NIS2D which entails a personal data
  breach, the competent authority shall notify the Data Protection
  Commissioner within a reasonable time.

Actions for C-Suite and Next Steps

• At this stage, organisations should consider the scope of NIS2D
  and whether their businesses fall within that scope. Notably
  organisations that fall within the scope of the NIS2D must notify
  the European Union Agency for Cybersecurity (ENISA) within 12
  months of the entry into force of NIS2D, of their name and main
  established and up to date contact details.




• If an organisation concludes that it is within the scope of
  NIS2D, it will need to conduct a fulsome review of its technical
  and organisational measures to ensure compliance with NIS2D.




• Organisations should also ensure they have proper breach
  reporting measures in place to ensure they can comply with the
  short notification window if and when a breach occurs.




• In addition, in-scope organisations should keep an eye on how
  NIS2D is implemented in the key EU jurisdictions where they operate
  to see if there are any derogations from the Directive.




• C-Suite should ensure they have the requisite training as
  required under NIS2D.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.