On 17 January 2023, the new Network and Information Systems Security Directive (“NIS2 Directive”), which is aimed at establishing a minimum level of cybersecurity standards across the EU and is set to replace its predecessor (the NIS or “NIS1 Directive”), entered into force. The new NIS2 Directive aims to further harmonize and strengthen cybersecurity and resilience throughout the EU in response to a continued increase in digitization and rise in cyber (and in particular ransomware) threats – which is estimated to have reached a total cost of €5.5 trillion at the end of 2020 (double the figure of 2015) and continues to rise in the EU and globally notably due to ongoing geopolitical conflicts in Ukraine and Russia. Importantly, the NIS2 Directive imposes direct obligations and liability on senior management for companies in scope, meaning senior management individuals could face administrative fines and/or a potential ban/discharge from managerial functions. On the same day, two related EU legislations entered into force – the new EU Digital Operational Resilience Act (“DORA”), which consists of an EU regulation and an EU amendment directive, and is aimed at harmonizing cyber security and resilience of IT systems used by the financial services industry, and the new EU Critical Entities Resilience Directive (“CER Directive”), which is aimed at strengthening the resilience of so-called ‘critical infrastructure’ (covering 11 critical sectors such as energy, transport, financial market infrastructures, and digital infrastructure) against specific threats including natural hazards, terrorist attacks, insider threats and sabotage.
The NIS1 Directive was the first piece of EU-wide cybersecurity legislation and aimed to enhance cybersecurity by creating a common security standard, favoring cooperation among EU Member States and imposing additional cyber-related obligations to providers of specific ‘critical’ services with a view to ensuring a continuity of such services in the EU. Although the NIS1 Directive was considered an important catalyst for the EU’s level of cyber resilience, it revealed a number of shortcomings – including significant divergence in EU Member State implementation of the NIS1 Directive, which led to a fragmented legal framework and protection in terms of cyber security – and which ultimately caused the EU to adopt a successor law, the NIS2 Directive. The NIS2 Directive is part of the EU’s new digital legislative package which is aimed at ‘making Europe fit for the digital age’, and which also includes, for instance, the EU’s proposed Cyber Resilience Act – please see our blog post on this Act here.
The NIS2 Directive’s key takeaways are as follows:
Scope of Application: the NIS2 Directive has a broader scope of application compared to its predecessor and applies to companies active in sectors including transport, financial market infrastructures (operators of trading venues and CCPs), digital infrastructure (e.g. cloud computing, data centre services, providers of publicly available electronic communications services, social media service providers and content delivery network providers), pharma and medtech (e.g. pharma, medical device and in vitro diagnostics manufacturers, laboratories), chemical manufacturers, digital service providers (e.g. social media, online search engines and online marketplaces) and public administration. In addition, the NIS2 Directive applies to ‘managed (security) service providers’ which includes companies that manage or maintain networks, infrastructure, information systems on customer premises or remotely, or related to cybersecurity risk management.
From a territorial perspective, organizations which are either established in the EU, or are outside the EU, and provide their services in the EU, are covered. Digital infrastructure and digital service providers, as well as managed (security) service providers are required to appoint an EU representative for purposes of the NIS2 Directive if the NIS2 Directive applies to them from an extraterritorial perspective.
Obligations and Liability Senior Management: one of the most significant changes in the NIS2 Directive as compared to the NIS1 Directive is that, with a view to ensuring a high level of responsibility for compliance with its requirements, NIS2 imposes direct obligations on so-called ‘management bodies’ with regard to the implementation of the required cybersecurity risk-management measures (see point 4 below). Management bodies would be considered those individual senior members of staff who (i) are responsible or act as a representative for the entity covered under NIS2, (ii) have the authority to take decisions on the legal entity’s behalf and/or (iii) have the authority to exercise control over the legal entity. Further, it provides that these management bodies can be held directly and personally liable for infringements by the legal entity for a lack of compliance with implementing cybersecurity risk-management measures. In addition, in certain cases authorities may temporarily prohibit management including chief executive officers and legal representatives from executing managerial functions. The NIS2 Directive does not foresee a particular standard of failure to trigger personal liability – however any intent or negligence on the part of the perpetrator of the infringement is taken into account when deciding on the enforcement measure.
Essential and Important Entities: the NIS2 Directive buckets the abovementioned (and other) type organizations in two categories – ‘essential entities’ and ‘important entities’ – and imposes a more onerous set of requirements onto the first category. With this, the NIS2 Directive has departed from the original distinction maintained by the NIS1 Directive, which distinguished ‘operators of essential services’ and ‘digital service providers’. EU Member States are responsible for keeping an up-to-date list of all essential and important entities operating under their jurisdiction.
Cybersecurity Risk-Management Measures: compared to the NIS1 Directive, the NIS2 Directive is more explicit in terms of the cybersecurity measures which essential and important entities must implement and provides that these must be aimed at protecting the network and information systems, as well as the physical environment of those systems, against incidents and at least include (i) internal policies on risk analyses and IT security, (ii) measures and policies on incident handling, (iii) business continuity measures e.g. disaster recovery, (iv) supply chain security measures, (v) measures related to securing network and information systems acquisition, development and maintenance, (vi) policies and procedures to assess the effectiveness of cybersecurity measures, (vii) basic cybersecurity hygiene and cybersecurity training for staff, (viii) HR security, access controls and access management, and (ix) the use of multi-factor authentication or continuous authentication solutions and secure communication channels. Management bodies of essential and important entities are responsible for the implementation of these measures and can be held liable in addition to the legal entity itself.
Incident Reporting: essential and important entities are required to notify the competent authority and as appropriate, their service recipients, of any cyber incident with significant impact – meaning incidents which (i) have caused or are capable of causing severe operational disruption or financial loss for the entity, or (ii) have affected or are capable of causing considerable material or non-material damage to other (natural or legal) persons. Importantly, such incident reporting requirements will be triggered as soon as there is an incident with significant impact, and irrespective of whether or not personal data are involved.
The incident reporting timelines are stricter than, for instance, under GDPR and are layered as follows: (i) a first ‘early warning‘ must be provided to the authority within 24 hours of becoming aware of the incident, (ii) followed by a more formal incident notification must be provided within 72 hours, (iii) and finally a final report must be submitted after one month after the submission of the incident notification mentioned in (ii). Further, entities must respond to requests from the authority for status updates and/or provide progress reports. The competent authority can also compel the entity concerned to inform the public about the significant incident or issue a public statement to this effect itself.
In line with the other laws in the new EU digital legislative package, the NIS2 Directive foresees in information sharing provisions, albeit predominantly on a voluntary basis with respect to incident reporting: both entities within and outside the scope of the NIS2 Directive can share information on cyber threats, vulnerabilities and other cyber risk with competent authorities where such information sharing aims to prevent, detect, respond to, recover from or mitigate the impact of a cyber incident or to enhance the general level of cybersecurity.
Relationship with the GDPR: the NIS2 Directive is without prejudice to a number of EU laws, including the GDPR and the ePrivacy Directive – however it also provides that where sector-specific EU legislation requires essential and important entities to adopt certain cybersecurity measures or comply with incident notification requirements, the equivalent provisions in the NIS2 Directive shall not apply, provided that such sectoral legislation is ‘at least equivalent’ to the obligations in the NIS2 Directive. It is unclear as to whether this may mean that essential or important entities notifying an incident under the NIS2 Directive which may also qualify as a notifiable personal data breach under the GDPR, should no longer separately notify the incident to the competent Data Protection Authority under the GDPR. The NIS2 Directive calls on the EU Commission (presumably the DG for Communications Networks, Content, and Technology) to issue guidance in this respect by 17 July 2023.
Fines and Other Sanctions: EU Member States, through implementation of the NIS2 Directive into national law, are competent to set the maximum amount for administrative fines for non-compliance with NIS2 obligations – but the NIS2 Directive provides that this maximum amount in national law should at least be set at 10m EUR or 2% of total worldwide turnover, whichever is the higher, where essential entities are concerned. Other sanctions include (i) the temporary suspension of relevant authorizations and/or certifications which covered entities need to provide their services in the EU, (ii) an order for the covered entity to make certain elements of its infringement(s) public and/or inform their service recipients (customers) of the infringement(s), and (iii) the imposition of injunctions to immediately put a stop to infringing behaviour. Enforcement will take place at the national EU Member State level, although the NIS2 Directive foresees in mutual assistance and cooperation provisions among the relevant competent national authorities in case of cross-border enforcement action. ENISA (the EU Agency for Cybersecurity) will have a coordinative and advisory role.
Sector-specific Cyber Rules for the Financial Services Industry: In the same vein, the EU adopted the new EU DORA legislative package, consisting of both an EU regulation and directive, and which is considered to be sector-specific legislation covering cybersecurity as it relates to the financial services industry. Similar to the NIS2 Directive, DORA aims to achieve a high common level of digital operational resilience by laying down uniform requirements concerning the security of network and information systems, such as ICT risk management, major ICT-related incidents reporting, major operational or security payment-related incidents, digital operational resilience testing, and requirements in relation to contractual arrangements entered into between ICT third-party service providers and financial entities. In particular, DORA also sets requirements for third party service providers that offer ICT-related services to financial service entities, such as data analytics or cloud services. DORA does not explicitly foresee that senior management can be held liable under DORA but does provide that they will be responsible in certain circumstances.
Both the NIS2 Directive and DORA have formally entered into force on 17 January 2023. However, in order for the NIS2 Directive to be enforceable with regard to covered entities, it will need to be implemented into EU Member State national law (the deadline for which is set at 17 October 2024). Organizations should determine if they are subject to the NIS2 Directive and if they are, they should, among other things, make sure to implement cyber security measures in compliance with the minimum security measures currently provided for in the Directive, and make sure they can comply with the incident reporting obligations including the timelines foreseen in the Directive. Unlike the NIS2 Directive, the DORA Regulation is an EU regulation and therefore does not require EU Member State implementation in order to be enforceable – it is fully enforceable as of the date of its entry into application, which is set at 17 January 2025 (i.e., two years following its entry into force).