European Tech Regulation

Network Information Security Directive

The Network and Information Security (NIS2) Directive aims to further improve the resilience and incident response capabilities of the public and private sectors.

Affected businesses

Companies will be in scope of NIS2 if they provide services or carry out activities in the European Union, meet or exceed the definition of ‘Medium Sized Enterprise’ (or are otherwise in scope of NIS2 regardless of size), and operate in any of the following sectors:

  • Energy
  • Transport
  • Banking
  • Health
  • Space
  • Financial infrastructure
  • Public administration
  • Information communication technologies (ICT)
    service management
  • Waste water
  • Digital infrastructure
  • Drinking water
  • Food production
  • Research
  • Waste management
  • Digital providers
  • Chemicals
  • Postal and couriers
  • Manufacturing

 

NIS2 has extraterritorial effect, meaning that companies established outside the EU but offering services in the EU will need to adhere to NIS2 if they are classified as either an essential or important entity.

Key impacts

NIS2 aims to harmonise cyber resilience through the following obligations:

  • Effective cybersecurity management – Ensuring appropriate and proportionate cybersecurity risk management measures are in place, including risk analysis and information security policies; incident handling; business continuity and crisis management; and supply chain security, etc.
  • Stricter obligations for organizations falling within the scope of NIS2 – Including adopting tailored security policies covering several specific risk areas; conducting regular staff training; and vetting the security levels of company supply chains to ensure an appropriate level of cybersecurity, in addition to the existing general obligation to implement sufficient technical and organisational measures.
  • Reporting obligations of cyber incidents – Notification (in the form of an early warning) should take place in the first instance within 24 hours of a company becoming aware of a ‘significant incident’. A second more comprehensive notification should follow within 72 hours.
  • Enhanced supervision and enforcement – These enhanced supervision and enforcement powers include powers to carry out audits and/or inspections, enforcement (by way of fines) and temporary suspension of management obligations.

Enforcement

EU Member States are entitled to implement administrative fines of the greatest of a maximum of 10 million euros or up to 2% of the total worldwide turnover of the preceding financial year for essential entities breaching the cybersecurity risk management measures and/or incident reporting obligations. Important entities are subject to administrative fines of the greatest of a maximum of 7 million euros or 1.4% of the total worldwide turnover of the preceding financial year for infringements.

Key timings

NIS2 was published in the Official Journal of the European Union on 27 December 2022 and entered into force on 17 January 2023.

As NIS2 is a directive, it will not automatically have legal force throughout every Member State; instead, the directive will need to be transposed into the national laws of each Member State. Member States have until 17 October 2024 to transpose the NIS2 Directive into their national law.

Group contacts