The eagerly awaited NIS2 was finally published in the Official Journal of the European Union on 27 December 2022.
NIS2 introduces a host of new cybersecurity obligations for a wider range of sectors/entities in an effort to ramp up defences against the surge of cyber-attacks in an era of increased digitisation. It builds on the foundations of its predecessor, NIS1, which requires in-scope entities to implement adequate and proportionate measures to manage cyber risks and minimise the impact of security incidents and imposes certain incident reporting requirements.
NIS2 clarifies and strengthens these core obligations. It expands the types of sectors in-scope (e.g. manufacturing of certain critical products; food; public administration; waste management and postal/courier services). It also introduces new actors within existing in-scope sectors (e.g. managed service providers, cloud computing platforms, data centres, content delivery network providers, electronic communication services and electronic communication network services within the digital infrastructure sector). NIS2 classifies entities based on their importance, resulting in two categories: “essential entities” and “important entities”. Both entities are subject to the same cybersecurity risk management and reporting requirements, but the supervisory and penalty regimes differ.
Most notably, NIS2 will implement stronger security requirements in accordance with the principle of security by default and by design – it sets out a baseline list of focused cybersecurity measures which must be implemented at a minimum in connection with a range of specified matters including incident handling, business continuity, supply chain security, encryption, access control, the use of multi-factor authentication and vulnerability handling/disclosure.
NIS2 also imposes updated notification requirements - in-scope entities must submit an “early warning” to their Computer Security Incident Response Team or competent authority (to be designated by each Member State) within 24 hours of becoming aware of a “significant” incident, followed by an incident notification within 72 hours of that awareness and a final report within one month of the incident notification. When appropriate, notification must also be given to the impacted service recipients, including details of the threat and an indication of the measures those recipients can take to respond to the attack.
NIS2 clarifies the application of the principle of “establishment”. In-scope entities are subject to the jurisdiction of the competent authorities of the Member State in which they are established. However, there are exceptions - providers of communications and electronic network services are subject to the jurisdiction of the country where the recipients of their services are located and certain online services are subject to the jurisdiction of the EU country where their “main establishment” is located. Note that in-scope “essential” and “important” entities not established in the EU but which "offer services" in the EU will have to comply with the obligations set out by this new regulatory framework, must designate a legal representative in one of the Member States where its services are offered and will fall under the jurisdiction of that Member State.
NIS2 introduces a comprehensive “ex-ante” supervisory regime for “essential” entities - competent authorities will have a wide range of supervisory/enforcement powers to ensure compliance, including the power to temporarily suspend a non-compliant essential entity’s business activities or the exercise of managerial functions by its senior management and impose specific prohibitions and administrative fines (up to a maximum of at least €10 million or 2% of global turnover, whichever is the greater). Member States may also opt to impose criminal penalties for non-compliance which may be levied on so called “management bodies”. A lighter touch “ex-post” regime will apply to “important” entities (with lesser fines of up to €7 million or 1.4% of global turnover).
Finally, NIS2 will require in-scope entities to address cybersecurity risks not just internally but also in their supplier/service provider supply chain – this will require an assessment of the overall quality of products/services and cybersecurity practices of suppliers/service providers.
In short, NIS2 has a much wider reach, imposes more stringent obligations and has more bite than NIS1.
NIS2 will enter into force on 16 January 2023. Member States must adopt and publish the measures necessary to comply with NIS2 by 17 October 2024 and must apply those measures from 18 October 2024.
Whilst this may seem like a long way off, given the wide reach of NIS2, the level of detail specified regarding its core requirements and the potential risks and costs of non-compliance, in-scope entities should start to review their operations and consider the organisational, financial and technical steps required to protect themselves from possible cyber-attacks and to adequately prepare for the more onerous cybersecurity requirements of NIS2.
Watch this space for further updates on Member States’ approaches to implementing NIS and the UK’s National Security Strategy.
"Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, including in cross-border exchanges. That development has led to an expansion of the cyber threat landscape, bringing about new challenges, which require adapted, coordinated and innovative responses in all Member States."