European Union (EU) member states have until September 2024 to implement the new 'Network and Information Security' directive - NIS2. This directive brings a number of important changes in cybersecurity. For instance, enforcement requirements will be strengthened and sanctions will apply across the EU. NIS2 also extends the scope to companies and organisations in new sectors. Companies and organisations covered will have to take adequate measures in areas such as cyber risk management, penetration testing, incident response and remediation. Those who fail to comply with NIS2 risk financial penalties based on companies' global turnover.
The NIS2 directive regulates companies and governments on cyber and information security. It is translated into national implementing acts and acts as a binding law, meaning your organisation (if within scope) will have to comply with the requirements. The NIS2 directive expands cybersecurity requirements and sanctions to harmonise and streamline the level of security across member states, and comes with stricter requirements for different sectors. Companies and organisations will have to deal with cyber risk management, control and monitoring, incident handling and business continuity, among others. Furthermore, the directive also expands the number of organisations in scope. The Dutch authorities indicate that implementation of the NIS2 directive follows in September 2024, with expected compliance from the third quarter of 2024.
The NIS2 directive distinguishes between ‘essential entities’ and ‘important entities’ (see all sectors in the table below). The main difference between the two is that important entities will face lower financial penalties and will be subject to reactive supervision by authorities as opposed to proactive supervision reserved for essential entities. This means that unless there is a reason for it, such as a cyber incident or reports from external organisations such as auditors or other parties in the supply chain, a key entity will not face direct supervision from regulators and authorities.
The scope of sectors has been expanded as the European Commission wants to cover all organisations that perform important functions in society. This means that NIS2 also applies to sectors such as food production, waste management and the entire supply chain. ‘The focus of the NIS2 directive is not so much on how cyber incidents can lead to a risk for your organisation or harm your business’, says PwC’s privacy expert Bram van Tiel, ‘but how such incidents can harm or hinder society and the functioning of other businesses. So the scope goes well beyond traditional critical infrastructure organisations. In the energy sector, for instance, the scope under NIS was always limited to companies that produce, supply or balance energy in the electricity and natural gas sectors. Under NIS2, we expect the supply chain, e.g. manufacturers of wind turbines and operators of electric vehicle charging stations, to also be covered by the requirements.’
Energy - supply, distribution, transmission and sale of electricity, gas, oil, heating/cooling, hydrogen, EV charging point operators | Essential |
Air, rail, road and water transport (including shipping companies and port facilities) | Essential |
Banking/finance - credit, trade, market and infrastructure | Essential |
Health - healthcare providers, research laboratories, pharmaceuticals, medical device manufacturing | Essential |
Water - drinking water suppliers and wastewater operators | Essential |
Digital infrastructure and IT services - DNS, name registries, trust services, data centres, cloud computing, electronic communication services, managed services and managed security services | Essential |
Public administration - (central, regions + local optional) | Essential |
Space - ground-based infrastructure operators | Essential |
Postal and courier services providers | Important |
Waste management | Important |
Chemical products - production and distribution | Important |
Food - distribution and production | Important |
Manufacturers: medical/diagnostic devices, computers, electronics, optics, machinery, motor vehicles, trailers, semi-trailers, other transport equipment | Important |
Digital providers - online marketplaces, search engines, social platforms | Important |
Research organisations | Important |
The NIS2 directive sets requirements for management, risk control, business continuity and reporting to authorities. Bram van Tiel points out the main areas of concern:
‘The authorities do not notify you if this directive applies to you, your organisation must assess itself based on the criteria that include both industry elements and size considerations. If an organisation with a large market share in a particular sector is ‘important’, it may even be considered ‘essential’ because of its size.
Management in your organisation should be familiar with the directive's requirements and risk management efforts. They are given direct responsibility for ensuring that cyber risks are identified, addressed and requirements are met.
The increased risk management and resilience requirements mean that your organisation must manage risks and implement both damage prevention and mitigation measures that reduce risks and impacts. Adequate measures are expected, for example, around incident management, cyber security in supply chains, network security, access control and encryption.
Your organisation should consider how to ensure business continuity if you are hit by a major cyber incident. This includes, for example, system recovery, emergency procedures and setting up a crisis organisation.
Finally organisations must have processes in place to ensure proper reporting to authorities. Among other things, there is a hard requirement that major incidents are reported within 24 hours.’
The sanctions are extended by the NIS2 directive to include AVG-like fines based on global turnover. These penalties are based on whether organisations are part of an essential entity or a important entity. They are based on a minimum of ten million euros, or two per cent of global annual turnover, whichever is higher for essential entities. For important entities, fines are based on a minimum of seven million euros or 1.4 per cent of turnover.
Furthermore, there is personal and potential criminal liability for individuals at board level if they fail to comply with their obligations under the directive. Essential entities can expect ongoing supervision, including audits, reporting requirements and peer reviews. Key entities can expect supervision, mandatory audits and reporting if rules are not complied with at an organisation.
From our experience working with organisations across the EU, we recommend the following steps:
assess whether you will be covered by the NIS2 directive;
identify gaps in relation to the directive's requirements;
identify the measures needed to meet the obligations in management;
design a strong cyber security framework that includes organisational and technical measures;
implement both organisational and technical measures in your organisation;
design and implement monitoring mechanisms to continuously validate the effectiveness of the measures.