The NIS2 Directive (Directive (EU) 2022/2555) is a European legislative framework designed to enhance cybersecurity across the European Union. It replaces the NIS1 Directive and aims to establish a high common level of cybersecurity for network and information systems. The directive was published in the Official Journal of the European Union in December 2022 and entered into force on January 16, 2023. Member States have until October 17, 2024, to transpose the directive into national law and apply those measures from October 18, 2024.
Who is Affected by NIS2?
NIS2 applies to a wider range of sectors and entities than its predecessor. Two main categories are covered:
1. Essential Entities (EE): These include organizations operating in sectors critical for societal and economic functioning, like energy, transport, healthcare, and digital infrastructure.
2. Important Entities (EI): This category encompasses organizations in sectors that are not considered critical but could still significantly impact society and the economy if affected by a cyber incident, such as postal and courier services, and the manufacturing and distribution of chemicals.
The specific entities within each sector are outlined in Articles 2, 3, and 4 of the directive. It’s crucial to note that NIS2 applies to entities established in Belgium, meaning those effectively carrying out an activity through a stable installation. For non-EU entities, NIS2 applies if they offer services within the EU. These entities need to designate a representative within the EU.
Key Requirements and Obligations
NIS2 outlines a comprehensive set of cybersecurity requirements for organizations to implement. Some of the key obligations include:
- Risk Management: Organizations must implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. This involves:
- Policies for risk analysis and information system security
- Business continuity plans
- Supply chain security measures
- Cyber hygiene practices
- Cryptography usage
- Human resources security
- Access control policies
- Incident Reporting: Organizations must report significant cyber incidents to the relevant national authority (in France, it’s the ANSSI). Specific reporting timelines are in place, with initial reporting required within 24 hours and a complete notification within 72 hours. A final report must be submitted within one month.
- Supply Chain Security: Organizations must assess and address cybersecurity risks within their supply chain, particularly regarding relationships with suppliers and service providers. This involves identifying vulnerabilities and evaluating the overall security practices of each supplier and service provider.
- Management Body Responsibility: The management bodies of organizations are directly responsible for cybersecurity. They must approve risk management measures, oversee their implementation, and can be held liable for infringements.
- Training: Management bodies are required to undergo regular cybersecurity training. This training should equip them with the knowledge and skills to identify risks, evaluate cybersecurity risk management practices, and assess their impact on the organization’s services. Organizations are encouraged to offer similar training to their employees.
Preparing for NIS2
Given the extended scope and stricter requirements of NIS2, organizations need to begin preparing for compliance. Here are some key steps:
1. Determine Applicability: It’s essential to determine if your organization falls under the scope of NIS2. Consider the sector your organization operates in and the potential impact of a cyber incident on society and the economy.
2. Gap Analysis: Identify any gaps between your current cybersecurity practices and the requirements of NIS2. A comprehensive gap analysis will reveal areas where improvements are needed.
3. Cybersecurity Strategy: Develop a robust cybersecurity strategy that encompasses both organizational and technical measures. This should include risk management policies, incident response plans, and supply chain security assessments.
4. Seek Expert Advice: If needed, consult with cybersecurity experts to guide your organization’s compliance efforts. Experts can help implement appropriate measures, conduct gap analyses, and provide training for management and staff.
Penalties and Enforcement
Failure to comply with NIS2 can result in significant penalties, including fines and the suspension of management responsibilities. The maximum fines for EEs can reach up to €10 million or 2% of global annual turnover, whichever is higher. For EIs, the maximum fines are €7 million or 1.4% of global annual turnover, whichever is higher. Member States have the authority to conduct audits, inspections, and impose sanctions to ensure compliance.
Conclusion
NIS2 represents a significant step forward in strengthening cybersecurity across the EU. Organizations need to understand the directive’s requirements and take proactive steps to ensure compliance. Failure to comply can result in substantial financial penalties and damage to reputation. By preparing effectively, organizations can enhance their cybersecurity posture and contribute to a more resilient digital environment.
Additional Considerations
- Although France’s transposition of NIS2 has been delayed, the directive’s provisions can still be invoked in legal proceedings. This means that organizations could be held liable for failing to meet the directive’s minimum security requirements, even in the absence of national legislation.
- The ANSSI, France’s cybersecurity agency, will play a crucial role in overseeing NIS2 implementation. The agency will provide guidance, conduct audits, and enforce compliance. Organizations should actively engage with the ANSSI to stay informed about the latest developments and requirements.
- The relationship between NIS2 and other regulations, such as the Digital Operational Resilience Act (DORA), is addressed in Commission Guidelines. In cases where an entity is subject to both NIS2 and DORA, DORA takes precedence.