A guide to the new NIS directive (NIS2)

We previously released some guidance around the new Network and Information Security Directive (NIS2), which you can read here. NIS2 has many different areas to dive into, so we thought we'd make this guide to keep you up to date with the new directive ahead of the changes.

Introduction To make the EU digitally safer, the EU published a new version of the Network and Information Security directive ( NIS2 ) at the end of 2022. After the translation of NIS2 into national legislation by the Member States, is expected to become effective at the end of 2024.

NIS2 will be applicable to more sectors and entities than the current directive, with more explicitly described security measures and fines, stricter incident reporting obligations, and will empower national supervisory authorities.

What are the timelines? NIS2 was approved and published by the EU at the end of 2022 and the implementation period of 21 months began in January 2023, during which the directive must be incorporated into national legislation. National laws are expected to enter into force at the end of 2024. From then, organisations must fulfill their duty of care and reporting.

Which organisations are in scope? Entities in the sectors mentioned in the table below are in scope. NIS2 makes a clear distinction between essential sectors and important sectors .

Essential entities will be actively monitored by supervisory authorities, whereas passive supervision will be carried out on the important entities.

Essential sectors: Energy, Transport, Banks, Financial market infrastructure, Health, Drinking water, Waste water, Digital Infrastructure, ICT Service Management, Public Administration, Space

Important sectors: Postal and courier services, Waste management, Chemicals, Food, Manufacturing, Digital services, Research

NIS2 does not apply to entities employing fewer than 50 persons and whose annual turnover (or annual balance sheet total) does not exceed 10 million. Exceptions to this size criteria are, for example, providers of trust services and public electronic communication services.

Will there be central registers maintained with organizations in scope? By April 2025, Member States shall establish a list of essential and important entities, and entities providing domain name registration services. For the purpose of establishing the list, Member States shall require the entities to submit at least the following information to the competent authorities:

(a) the name of the entity;

(b) the address and up-to-date contact details, including email addresses, IP ranges and telephone numbers.

The entities shall notify any changes within two weeks of the date of the change.

ENISA, the European Union Agency for Cybersecurity, will be responsible for the creation and maintenance of a registry for entities providing cross-border services e.g, DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, and data centre service providers. Entities in scope are obliged to provide the required information before 18th January 2025.

Is governance and liability addressed? Management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities and oversee its implementation and can be held liable for infringements.

What does the duty of care mean for organisations? Organisations must take appropriate measures for the security of network and information systems, including the physical environment. Appropriate means that they are tailored to the risks. The directive states that, among other things, there must be:

Information systems risk analysis and security policy

Incident Handling

Business continuity, such as backup management, contingency, and crisis management

Security of the supply chain and life cycle of network and information systems, including response to and disclosure of vulnerabilities

Policies and procedures for assessing the effectiveness of security measures

Basic cyber hygiene practices and cyber security training

The directive refers to European and international standards for the design of security measures and specifically mentions the ISO 27000 series. Guidelines for cyber security and hygiene are also available on websites of (semi) governmental websites e.g., the Centre for Cyber Security Belgium, the National Cyber Security Centre and the Rijksinspectie Digitale Infrastructuur (both in the Netherlands).

What does the duty to report mean for organisations? The entities in scope of NIS2 must issue a preliminary alert for any significant incident (without delay) or any event, within 24 hours, and submit an incident report to the Computer Security Incidents Response Team (CSIRT) or competent authority within 72 hours at the latest.

Furthermore, entities will have the obligation to report changes related to the lists, with entities maintained by the European Union Agency for Cybersecurity (ENISA), and Member States.

What is the supervisory regime? Member States will monitor compliance with NIS2-based legislation. The essential entities will be actively supervised. Important entities will be passively supervised, meaning supervising authorities will take action if there is reason to do so, e.g., in the event of an incident.

Supervising authorities will have the power to subject entities, at least, to on-site inspections, off-site supervision, regular and ad hoc audits, security scans, and requests for documentation and information.

What are the possible fines? Administrative fines can be imposed on essential entities up to a maximum amount of at least 10 million, or up to at least 2% of global annual turnover.

Administrative fines can be imposed on significant entities up to a maximum amount of at least 7 mill

LINK:	https://www.resillion.com/a-guide-to-the-new-nis2-directive/...
	See more stories from eurofins

More from Eurofins