The EU’s NIS2 Directive: key points you need to know
By Rachel Griffith, Lucie Wickens
25 Apr 2024 | 4 minute readAs technology is becoming more prominent, the levels of cybercrime are increasing. In light of this, the UK and EU governments are working to improve cyber resilience by strengthening cybersecurity laws.
In the EU, a new Network and Information Security Directive (NIS2) was implemented on 16 January 2023. NIS2 replaces the EU's previous Network and Information Security Directive (NIS1) and aims to improve Member States' collective cybersecurity by imposing extensive cybersecurity related obligations on specific sectors (including incident reporting obligations). These new requirements have to be incorporated by Member States into national law by 17 October 2024.
Separately, the UK is in the process of considering similar changes to the Network and Information Systems Regulations 2018 (NIS Regulations) which were implemented when it was part of the EU.
We have set out below some of the key changes to the EU's NIS regime under NIS2, potential developments to the UK's NIS Regulations and the relationship between NIS2 and the EU GDPR.
Why has the EU introduced NIS2?
Since NIS1 failed to create a common cybersecurity framework across Member States, there was a lack of consistency in how Member States approached information security. NIS2 aims to rectify this.
By increasing cooperation across Member States, NIS2 hopes to reduce cybersecurity regulatory divergence. Compared to NIS1, NIS2 expands security requirements and introduces more stringent fines and reporting requirements. It also covers new sectors and entities which makes NIS2 more comprehensive.
What does this mean for your business?
NIS1 distinguished between “operators of essential services” and “digital service providers”. NIS2 on the other hand classifies in-scope organisations based on their importance to society and the economy and divides them into “essential” and “important” entities.
NIS2 applies to essential and important entities that: (i) are established in a Member State; and/or (ii) are based outside the EU but provide services within a Member State.
“Essential entities”: entities with approximately 250 employees and an annual turnover of €50 million or balance sheet of €43 million, operating in the following sectors:
- Energy (electricity, oil, gas, district heating and hydrogen)
- Transport (air, rail, water and road transportation)
- Finance (banking and financial market infrastructure)
- Public administration (including social services, public safety, economic regulation and political representation)
- Health (public and private healthcare providers, medical equipment and medicine manufacturers, medical insurance providers and other critical health-related services)
- Space
- Water supply (drinking and wastewater)
- Digital infrastructure (Telecom, DNS, TLD, data centres, trust services, ICT management and cloud services)
- Any of the above sectors which reach the “important” entity size threshold outlined below.
Important entities: entities with approximately 50 employees, annual turnover of €10 million or balance sheet of €10 million, operating in the following sectors:
- Postal services (postal and courier services)
- Waste management (for maintaining public health, environmental protection and sustainability)
- Chemicals
- Research
- Foods
- Manufacturing (of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers, semi-trailers and other transportation equipment)
- Digital service providers (if using, providing or relying on the broad range of digital services including search engines, online markets, and social networks)
Certain entities may be covered by NIS2 even if they do not meet the above size criteria. For example, if the entity fulfils criteria that indicate it plays a key role for the economy, society or particular sectors and services. Further guidelines on the implementation of these criteria are due to be issued by the European Commission.
The European Commission introduced NIS2 to harmonise security requirements across Member States. This was deemed necessary as some Member States implemented NIS1’s security and incident reporting requirements in significantly different ways, creating an additional burden for businesses operating in more than one Member State. Under NIS2, all relevant entities must ensure that they implement the following (as part of the technical, operational and organisational measures they take to manage cybersecurity risks):
- Policies on risk analysis and information system security.
- Processes in respect of incident handling.
- Processes in respect of business continuity, such as backup management, disaster recovery, and crisis management.
- Processes in respect of supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
- Processes in respect of security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
- Basic cyber hygiene practices and cybersecurity training.
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
- Processes in respect of human resources security, access control policies and asset management.
- The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
Your organisation may already have stringent information and cybersecurity measures in place. However, you should assess whether those measures meet the minimum requirements set out above and, if not, what steps you need to take in order to comply with such requirements (for example, reviewing your policies and procedures or updating your business continuity plan).
The European Commission also plans to specify the technical and methodological requirements of the measures set out above with regard to certain essential and important entities including, but not limited to, cloud computing service providers and managed service providers by 17th October 2024.
NIS2 introduces more robust standards for security requirements in your supply chain security. If your business is affected by NIS2, you are required to carry out due diligence on your suppliers’ cybersecurity practices to mitigate the risk of security breaches in your supply chain. You also have to ensure that any technical, operational and organisational measures you take to manage supply chain security risks take into account the vulnerabilities of each supplier, their quality and the cybersecurity practices of the suppliers’ service providers.
NIS2 sets out specific penalties for non-compliance which include non-monetary penalties (such as compliance orders), administrative fines and criminal sanctions. Non-compliance fines for essential entities can reach up to 2% of total worldwide annual turnover or €10 million (whichever is higher) whilst fines for important entities can be up to 1.4% of total worldwide annual turnover or €7 million.
Depending on the size of your organisation, these penalties could have a significant financial impact. They also carry the risk of serious reputational damage. If you are an organisation within NIS2’s scope then developing an internal compliance framework will be key to mitigating these risks.
Security incidents that affect the provision or receipt of services by a relevant entity will have to be reported more stringently under NIS2. As part of this, you must notify the relevant competent authority within 24 hours of becoming aware of the incident, submit a final incident report within one month following discovery and inform recipients of services impacted.
You will need to think about how to ensure you can meet these reporting obligations if your organisation falls within NIS2’s scope. To enable your business to be able to recognise and report a potential cybersecurity threat or incident, you will likely need to provide adequate training and guidance, in the form of policies and procedures.
Implications for UK businesses
Businesses in the UK that don't offer services in the EU are not directly affected by NIS2. However, similar changes are being proposed to the UK NIS Regulations which UK businesses are already bound by.
Currently, UK businesses are not required to take action (unless they fall under NIS2 – see the section above). However, businesses caught by the existing UK NIS Regulations may find themselves needing to make changes to their business practices if the UK decides to align itself with NIS2 (although it isn’t anticipated that any such changes would be as far reaching as in the EU).
The UK government plans to expand the scope of the UK NIS Regulation to include digital service providers (which currently includes search engines, online marketplaces and cloud computing service providers) to include "managed service providers". Managed services are those that are:
- Provided B2B
- Relate to the provision of IT services, such as systems, infrastructure, networks and/or security.
- Rely on the use of network and information systems.
- Provide regular and ongoing management support as opposed to ad hoc IT consultancy and software development.
It will be interesting to see how the ICO responds to any changes introduced by the UK Government to the UK NIS Regulations after the implementation of NIS2.
As an aside, the UK government is also consulting on a Cyber Governance Code of Practice to help businesses and organisations manage the cyber risks they face, and drive increased cyber resilience across organisations. The proposed Code sets out the critical governance areas that directors need to tackle in order to protect their organisations. It is designed to be simple to use, with the relevant information all in one place and is for organisations of all sizes. We will be monitoring the outcomes of the UK government's consultation to assess the potential impact on our clients.
EU GDPR and NIS2
There are clear similarities between NIS2 and the EU GDPR. Both laws set out requirements to implement appropriate measures to mitigate potential security threats, notification obligations and provisions for fines and penalties for non-compliance with such requirements. Organisations covered by NIS2 which are also data controllers or processors under the EU GDPR will need to comply with both regimes.
A key point to note is that a NIS2 incident could also be a personal data breach under the EU GDPR. For example, a cyber-attack on a service provider could result in personal data (such as customer information) being compromised. However, NIS2 specifically provides that if a fine is levied under the EU GDPR for a personal data breach, the relevant entity will not be fined for the same infringement under NIS2. With this in mind, organisations that are required to comply with NIS2 and EU GDPR should ensure that their procedures and practices in respect of handling NIS2 incidents and personal data breaches are joined up. This will ensure that in the event of a cyber incident the relevant requirements under the EU GDPR and NIS2 are complied with.
Whilst there is overlap between the EU GDPR and NIS2, please note that these laws address different issues. NIS2 concerns the security of network and information systems and the digital data within them, which may include personal data. By contrast, the EU GDPR concerns the processing and protection of personal data only. NIS2 also covers fewer organisations than the EU GDPR, applying only to the relevant organisations outlined in the first section.
Get in touch
Speak to us about whether you think your organisation may fall within the scope of NIS2 and we would be happy to assist.