ARTICLE
29 August 2024

The NIS2 Directive Is On The Edge Of Enforcement: What Now For EU/US Companies?

CM
Crowell & Moring LLP

Contributor

Crowell & Moring LLP logo
Our founders aspired to create a different kind of law firm when they launched Crowell & Moring in 1979. From those bold beginnings, our mission has been to provide our clients with the best services of any law firm in the world through a spirit of trust, respect, cooperation, collaboration, and a commitment to giving back to the communities around us.
Explore Firm Details
On October 18, 2024, the requirements of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive)...
Worldwide Technology
Photo of Arthur Focquet
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Key Takeaways

1. New cybersecurity measures and requirements are introduced by the EU for companies.

2. Contractual provisions with the supply chain may need to be revised.

3. High penalties and liability for management, including personal liability.

I. Introduction

On October 18, 2024, the requirements of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) will enter into force. The NIS2 Directive outlines the cybersecurity responsibilities of both "essential" and "important" entities whose "management bodies" are tasked with implementation, emphasizing potential liability for failure to comply with the new mandates, along with significant penalties for entities and individuals that fail to meet their obligations.

II. What is the NIS2 Directive?

The objective of the NIS2 Directive is to set out measures to achieve a high common level of cybersecurity across the EU. It expands the scope of cybersecurity requirements to include both "essential" and "important" entities in various sectors, including energy, transport, banking, health, digital infrastructure, and others. The NIS2 Directive introduces size-based thresholds for its applicability and imposes substantial fines for non-compliance.

III. Which Entities Fall within the Scope of the NIS2 Directive?

The NIS2 Directive applies to a public or private entity that (1) falls within any of the industry sectors listed in Annex I (Sectors of High Criticality) or Annex II (Other Critical Sectors) of the Directive, (2) provides a service within the European Union, and (3) is at least a medium-sized enterprise within the meaning of the European Commission Recommendation 2003/361/EC of May 6, 2003 concerning the definition of micro, small and medium-sized enterprises.

If an entity is subject to the NIS2 Directive, it will have differing responsibilities depending on whether it is classified as an "essential" entity or an "important" entity. Essential entities are subject to a comprehensive ex ante and ex post supervisory regime, while important entities are subject to a light, ex post only, supervisory regime.

  • Essential entities are organizations that provide a service listed in Annex I that meet the definition of a large enterprise as set out in Recommendation 2003/361/EC.
  • Important entities are organizations providing a service that:
    • is listed in Annex I and meets the definition of a 'medium-sized enterprise as set out in Recommendation 2003/361/EC;
    • is listed in Annex II and meets the definition of a medium or large enterprise as set out in Recommendation 2003/361/EC;

It is important to note that entities with subsidiaries may need to take into account the number of employees and annual turnover of their subsidiaries for the purposes of assessing medium or large enterprise criteria.

Moreover, some entities automatically fall under the purview of the NIS2 Directive, regardless of their number of employees or annual revenue, because of the potential for significant adverse impacts on European citizens resulting from disruptions to these businesses. They include:

  1. Providers of public electronic communications networks or services that are available to the public;
  2. Providers of trust services;
  3. Registries for top-level domain names and providers of domain name system services; and
  4. Public institutions.

As all Member States are required to transpose the NIS2 Directive into their national legislation by October 17, 2024, it is crucial for businesses to ensure that the Member State has not broadened the scope of the NIS2 Directive to apply to additional companies.

In addition, entities that are not established in the EU but provide their services within the EU must designate a representative (similar to the requirements of the GDPR, Digital Services Act, etc.). The Member State in which the representative is established will be deemed to be the Member State in which the entity is subject to jurisdiction. In the absence of a representative, any Member State in which the entity provides its services may take direct action against the entity if it violates the NIS2 Directive.

IV. Which Obligations?

1. Risk Management Measures

Entities falling within the scope of the NIS2 Directive will be required to implement at least the following key measures:

  • Risk analysis and information system security policies;
  • Incident handling protocols;
  • Business continuity plans, such as backup management and business resumption;
  • Supply chain and network security measures, including the safety aspects between each entity and its direct suppliers or service providers. Companies must consider the specific vulnerabilities of each direct supplier and service provider, and evaluate the overall quality of their products and cybersecurity practices. This assessment shall include an examination of their secure development processes;
  • Cybersecurity testing;
  • Auditing procedures;
  • Regular cybersecurity training, not only for management bodies but also for employees;
  • HR Security, access control policies, and asset management; and
  • The use of multi-factor authentication and encryption, and secure emergency communications systems within the entity (where appropriate).

Management bodies are tasked with approving the cybersecurity risk management measures adopted by their entities and overseeing their implementation, and are responsible for failures to comply with the above measures. In addition, management bodies are required to undergo cybersecurity training—or face significant liability, discussed below.

While the NIS2 Directive does not set forth specific standards for cybersecurity in the context of implementing risk management measures, it does encourage Member States to adopt European and international standards and technical specifications to ensure a harmonized implementation. For instance, Belgium, with Luxembourg likely to follow, has referenced ISO 27001 certification in its laws enacting the NIS2 Directive, offering entities with this certification a presumption of compliance. Beyond ISO standards, international frameworks like NIST or CMMC could also be instrumental for US-based entities aiming to ensure compliance with the NIS2 Directive.

2. Reporting Obligations

Essential and important entities must promptly inform the national competent authority of any significant incident (i.e., a serious event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems). Additionally, they are required to notify the users of their services about significant incidents that could impact service delivery. For example, in the event of a significant cyber incident, a chemical manufacturer is required to notify both the relevant authority and its suppliers and customers, offering them any possible measures or remedies they can take in response to the threat.

The initial reporting of the incident must occur within 24 hours of awareness, followed by an official incident notification within 72 hours. Interim and final reports should be submitted to the competent authority within one month of the formal notification.

V. Implementation

Essential and important entities, as well as entities providing domain name registration services, will have until January 17, 2025, to register with the competent authority. Essential entities are required to disclose their cybersecurity measures (ex ante) to the competent authorities, while important entities are only required to register. The competent authorities may, at any time, require the important entity to provide evidence of compliance.

It is important to note that Member States may provide for a higher level of cybersecurity when implementing the NIS2 Directive into national law, so companies need to be careful and review the laws applicable in the countries where they provide services.

VI. Enforcement

Each Member State will need to appoint a competent national authority whose role encompasses overseeing the directive's enforcement, ensuring that entities comply with their cybersecurity obligations, and facilitating a coordinated response to cybersecurity incidents. This oversight is crucial for maintaining a high level of cybersecurity across the nation and for protecting the integrity of essential and important services.

VII. Sanctions and Liability of Management Body?

The enforcement measures range from issuing simple warnings to mandating remediation actions or requiring the public disclosure of violations of law.

Entities that fail to meet their cybersecurity risk management or incident reporting requirements may face administrative fines. For important entities, fines can reach up to 7 million euros or 1.4 percent of their total global annual turnover. Essential entities could be fined up to 10 million euros or 2 percent of their total global annual turnover.

Concerning the accountability of management bodies, any individual responsible for an entity, or acting as its representative, bears personal liability for failing to comply with the NIS2 Directive by requirements—highlighting the significance of personal responsibility in cases of non-compliance. Some Member States, in the process of integrating NIS2, have established provisions that allow for the temporary suspension of individuals in managerial roles, such as managing directors or representatives, from executing their managerial duties within the entity if they fail to comply with directives from the competent authority.

VIII. Conclusion

Today's business requires increased vigilance regarding cybersecurity, stemming from the rise of diverse threat actors, such as competitors, ideologues (hacktivists), terrorists, cybercriminals, and nation-state actors, each presenting a considerable threat to the security and integrity of the business.

It is essential for entities to determine whether they are subject to the NIS2 Directive, and if so, to assess their cybersecurity responsibilities under the directive which should include, among other things, performing a thorough gap analysis of their existing security measures. Such an analysis is pivotal for the entity to adopt and enhance the necessary protocols to meet compliance with the NIS2 Directive by October 18, 2024. Although investing in cybersecurity may not be insignificant, it is important to note that the cost of these investments will likely be far less than the financial and reputational damage incurred from a cyber incident.

Entities must shift their mindset from questioning if a cyber incident will occur to preparing for when it inevitably happens.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Arthur Focquet
Arthur Focquet
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More