On November 10, 2022, the EU Parliament approved the directive on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”). The directive repeals the 2016 NIS Directive[1] with the aim of strengthening security against cyber-attacks across a broader range of sectors. The NIS2 Directive seeks to develop further the legislative framework in light of increasing digitization and, consequently, new cybersecurity challenges, including the new challenges raised by the COVID 19 crisis. The NIS2 Directive is also intended to address “several weaknesses that prevented the NIS Directive from unlocking its full potential,”[2] including inconsistent cybersecurity legislations adopted by Member States and high regulatory compliance costs.
Significant changes
• A broader scope: The NIS2 Directive applies to medium-sized and large public and private enterprises in critical sectors. While still applying to businesses in sectors covered by the original NIS Directive (g., energy, transport, health, banking, and digital infrastructure), the NIS2 Directive now covers a wider range of sectors, such as postal and courier services, medical devices, food distribution, public electronic communications networks and publicly available electronic communications services, and digital providers (including, notably, providers of social networking platforms).
In particular circumstances, the NIS2 Directive shall apply regardless of the size of the enterprise. For example, an entity that is the sole provider of a service in a Member State or to a (central or regional) public administration shall be covered under the NIS2 Directive regardless of size.
• National cybersecurity strategy: The NIS2 Directive requires Member States to adopt a national cybersecurity strategy covering objectives and priorities in the sectors subject to the NIS2 Directive, a governance framework clarifying, among other things, the roles and the responsibilities of relevant stakeholders, a mechanism to identify relevant assets and assess risks, and cybersecurity standards and guidelines (this is also required of entities not subject to the NIS2 Directive)
• Minimum obligations for entities subject to the NIS2 Directive: A set of minimum obligations (to be implemented by Member States) to manage cybersecurity risks has been introduced. These include adoption of policies for risk analysis and information system security, incident handling, business continuity and crisis management, and supply chain security, policies and procedures regarding cryptography and encryption, and periodic assessment of effectiveness of cybersecurity management measures.
• Security incident handling: The NIS2 Directive streamlines the system for handling security incidents, including at the EU level. For this purpose, the NIS2 Directive establishes a European cyber crisis liaison organization network (EU-CyCLONe) that supports coordinated management of large-scale cybersecurity incidents. Additionally, the NIS2 Directive introduces an obligation to submit an early warning to the appropriate authority within 24 hours of becoming aware of a significant incident.
National implementation
The NIS2 Directive shall enter into force 20 days after it has been published in the EU Official Journal. Member States will have up to 21 months to proceed with national implementation.
[1] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the European Union.
[2] NIS2 Directive Explanatory Memorandum.
