NIS 2

How companies need to prepare for the EU's new cybersecurity directive

Background

The European Union has recognized the increasing importance of cybersecurity in the digital age and the crucial role it plays in protecting vital infrastructure and ensuring the smooth functioning of digital services. The objective of Directive (EU) 2016/1148 (NIS 1) was to build cybersecurity capabilities across the Union, mitigate threats to network and information systems used to provide essential services in key sectors, and ensure the continuity of such services in the event of incidents, thereby contributing to the security of the Union and the smooth functioning of its economy and society. However, the review of NIS 1 has shown that Member States have implemented the Directive in very different ways, including with respect to its scope, the delimitation of which was largely at the discretion of the Member States. Furthermore, Member States have also been given very wide discretion in implementing the security and security incident reporting obligations set out in the Directive. These obligations have therefore been implemented in very different ways at national level, which can lead to fragmentation of the internal market and have a detrimental effect on its functioning, especially in the case of cross-border provision of services.

Goals of the EU NIS 2 Directive

The objective of NIS 2 is to eliminate the wide differences in interpretation of NIS 1 between Member States by establishing minimum rules for a functioning and coordinated legal framework. This mainly concerns the list of sectors and activities subject to cybersecurity obligations and the harmonization of rules regarding minimum security standards and reporting requirements. Furthermore, the regulatory framework for monitoring and enforcement measures is to be standardized. As a consequence, it should be ensured that all member states develop and implement a comparable level of resilience to cyber threats.

Scope of the EU NIS 2 Directive

The unification of the scope is an essential part of NIS 2. A striking feature is the elimination of the distinction between operators of essential services and digital service providers, which is replaced by a division into essential and important facilities, which are in turn assigned to sectors. Annex 1 lists the “high criticality sectors” (energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, ICT service management, space) and Annex 2 lists the “other critical sectors” (postal and courier services, waste management, food, manufacturing or production of goods, digital service providers, research). In addition to the sector, the size of the company is also relevant for the classification into essential and important institutions, whereby the definition of the European Commission is used for this purpose. The basic rule is that large companies (>250 employees, annual turnover >50 million €), which fall under sectors of Annex 1, are considered essential facilities, and medium-sized companies (>50 employees, annual turnover >10 million €) of these sectors are considered important facilities. Companies that fall under sectors of Annex 2 are generally considered to be major institutions if they belong to the category of medium or large companies. Small businesses (< 50 employees) are usually exempt, but there are some special cases where small and even micro businesses (with no size limit) can be classified as major or even essential facilities:

Certain types of entities in the Digital Infrastructure sector (public electronic communications service providers, DNS service providers, top level domain registrars, and trust service providers).
According to CER guideline as a critical facility identifies companies
Companies classified by the State as important or material, applying the following criteria:
- When it is the sole provider of a service essential to maintaining critical social or economic activities.
- When the disruption of service could have a significant impact on public safety, public order, or public health.
- If the service disruption could pose a significant systemic risk (especially cross-border impact).
- In case of particular importance at the regional or national level for the sector or type of service in question, or criticality for other interdependent sectors.

In the event that there are sector-specific legal acts for certain sectors that are considered equivalent in their effect to the obligations set out in NIS 2 (with regard to security measures and reporting obligations), then these sector-specific legal acts apply instead of NIS 2 (so-called “lex specialis”). For the banking sector, DORA[3] is such a “lex specialis.”

[1] Commission Recommendation 2003/361/EC; https://eur-lex.europa.eu/EN/legal-content/summary/micro-small-and-medium-sized-enterprises-definition-and-scope.html

[2] Directive (EU) 2022/2557; https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2557

[3] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience in the financial sector; https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554

Key requirements of the EU NIS 2 Directive for companies

Risk management and governance

Risk management and governance are a key part of the requirements for companies affected by NIS 2. In this context, the “governing bodies” (i.e., boards of directors, managing directors, and the like) of significant and important institutions must explicitly approve cybersecurity risk management measures, monitor their implementation, and can also be held responsible for violations of them. To be able to achieve this, members of the governing bodies of essential and key facilities must participate in regular relevant training to acquire sufficient knowledge and skills to identify and assess risks, as well as management practices in the area of cybersecurity and its impact on the services provided by the facility.

In principle, essential and important facilities must be suitable and proportionate Technical, operational and organizational measures according to the state of the art take steps to manage the risks to the security of the network and information systems that these companies use to operate or provide their services and to prevent or minimize the impact of security incidents on the recipients of their services and on other services. Proportionality is the determining factor here, not whether the category is essential or important. In assessing the proportionality of these measures, the extent of the facility’s exposure to risk, the size of the facility, and the likelihood of security incidents occurring and their severity, including their societal and economic impact, shall be considered.

Safety requirements and safety measures

The measures to be implemented in this context must be based on an “all hazards approach” aimed at protecting the network and information systems and the physical environment of these systems from security incidents. NIS 2 lists a number of measures that must at least be included:

Concepts related to risk analysis and security for information systems;
Security incident management processes;
Business continuity measures, such as backup management and disaster recovery, and crisis management;
Supply chain security measures, including security-related aspects of relationships between companies and their service providers;
Security measures in the acquisition, development, and maintenance of network and information systems, including vulnerability management and disclosure;
Concepts and procedures for evaluating the effectiveness of cybersecurity risk management measures;
Basic cyber hygiene procedures and cybersecurity training;
Concepts and procedures for the use of cryptography and, where appropriate, encryption;
Personnel security, access control concepts, and asset management;
Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications, and secure emergency communications systems within the facility, as appropriate.

In contrast to NIS 1, NIS 2 is much more specific in its requirements. In addition, by October 17, 2024, the Commission shall adopt implementing acts specifying the technical and methodological requirements for those measures with respect to DNS service providers, TLD name registries, cloud computing service providers, data center service providers, content delivery network operators, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers. Further implementing acts detailing or extending the technical and methodological requirements and, where necessary, the sectoral requirements may follow.

Security in the supply chain

With respect to supply chain security, the report specifically emphasizes that risk assessments must take into account the specific vulnerabilities of each immediate vendor and service provider, as well as the overall quality of their products and cybersecurity practices, including the security of their development processes.

The topic of cybersecurity in the supply chain can also be found in Article 7, which deals with the national cybersecurity strategy. There, the requirement is noted that the national cybersecurity strategy must include the following:

Supply chain cybersecurity approaches for ICT products and ICT services used by entities to deliver their services;
Include and specify cybersecurity-related requirements for ICT products and ICT services in public procurement, including with respect to cybersecurity certification, encryption, and the use of open-source cybersecurity products;
Approaches to strengthen the baseline level of cyber resilience and cyber hygiene of small and medium-sized enterprises, especially SMEs excluded from the scope of this Directive, by providing easily accessible guidance and support for their specific needs;

The strong emphasis on supply chain security and related security measures in the supply chain as well, extends the circle of companies affected by NIS 2 well into the middle market. In principle, every company is affected – at least indirectly – that is a supplier of essential or important facilities. Due to the fact that companies affected by NIS 2 will have to ensure security in their supply chain in the future, it follows that the basic security requirements will be passed on to their suppliers, who will also have to prove this accordingly.

Incident reporting and cooperation with authorities

Essential and Major Facilities are required to immediately notify their CSIRT/CERT, or their Competent Authority, as applicable, of any security incident that has a significant impact on the provision of their services (significant security incident). A security incident is considered to be
significant
, if it has caused or may cause serious operational disruption of services or financial loss to the entity concerned and/or if it has affected or may affect other natural or legal persons by causing significant material or immaterial damage. Further, if required, companies must also promptly inform recipients of their services potentially affected by a significant cyber threat of the cyber threat at issue and of any actions those recipients may take in response to that threat. The initial report must be submitted within 24 hours, and after 72 hours at the latest, an initial assessment of the security incident must be submitted, including an assessment of its severity and impact, and, if applicable, the indicators of compromise. A final report must then be available no later than one month later, which must include a detailed description of the security incident, including its severity and impact, details of the nature of the threat or underlying cause, and details of the remedial actions taken and ongoing.

Provided that disclosure of the significant security incident is in the public interest, the competent authority may, after consultation with the facility concerned, inform the public of the significant security incident or require the facility to do so. NIS 2 further states that mere notification does not create a higher liability for the reporting entity.

Monitoring and enforcement

Supervisory measures

The oversight framework is the biggest difference between essential and essential service facilities. In principle, ex-ante supervision is carried out for essential facilities and ex-post supervision for important facilities. This means that for major facilities, a regulatory review will only occur if there is evidence, indication, or information that a major facility is suspected of not complying with the requirements of NIS 2, particularly with respect to security measures or reporting requirements. In the case of essential facilities, on the other hand, compliance is checked regularly as part of safety inspections. In doing so, the authorities are authorized to undertake at least the following activities:

On-site inspections and external supervisory activities, including spot checks conducted by trained professionals;
regular and targeted security audits carried out by an independent body or a competent authority;
Ad hoc audits, including those warranted due to a significant security incident or violation of this Essential Facility Policy;
Security scans based on objective, non-discriminatory, fair, and transparent risk assessment criteria, in collaboration with the facility concerned, if necessary;
Requesting information necessary to evaluate the cybersecurity risk management measures taken by the covered entity, including documented cybersecurity policies;
Requesting access to data, documents, and other information necessary to perform supervisory duties;
Requesting evidence of the implementation of cybersecurity concepts, such as the results of security audits conducted by a qualified auditor and the corresponding underlying evidence.

Enforcement and punitive measures

If the Authority determines that a facility is not complying with the aforementioned measures and requirements, it shall have the authority to immediately take all necessary, appropriate and proportionate corrective action. These include:

Issuing warnings about violations
The issuance of binding instructions regarding corrective actions, including deadlines for the implementation of these actions and for reporting on their implementation;
Instructions to inform individuals or entities of significant cyber threats and possible defensive or remedial actions;
Appointment of a monitoring officer to oversee compliance with safety requirements and reporting obligations for a specified period of time;
Instructions to publicly disclose aspects of NIS 2 violations;
The imposition of fines.

In the event that the required measures are not taken within the set time limit, the competent authorities shall also have the power to temporarily suspend the certification or authorization of part or all of the relevant services or activities provided by the essential facility, as well as to temporarily prohibit natural persons responsible at the management or board level in that essential facility from performing management functions in that facility. NIS 2 further states that these natural persons may also be held personally liable for violations of NIS 2.

The fines include a maximum amount of at least EUR 10 million or a maximum amount of at least 2% of the company’s total worldwide turnover in the previous financial year. In the case of important institutions, this maximum amount is reduced to EUR 7 million or a maximum amount of at least 1.4% of total worldwide sales.