EU NIS II Cybersecurity Rules Enter Into Force

Introduction

What’s this about?

In 2016 the EU introduced the so-called NIS Directive (NIS I) which EU countries had to implement in 2018 (just before EU GDPR fully came into force!). Broadly-speaking, NIS I was aimed at harmonizing cybersecurity regulation for critical infrastructure across the EU. Under the NIS I regime, entities that fall in scope have to report cybersecurity incidents to regulators and can face fines for compliance failures.

However, the NIS I regime didn’t seem to go entirely to plan, especially with an apparent lack of enforcement, and so in 2020 the EU proposed to completely overhaul it and replace it with new legislation, NIS II. This was finalized on 14 December 2022, and is also in the form of a directive, and has now entered into force. This article takes a brief look at the NIS II regime.

What’s in NIS II?

In broad terms, NIS II includes the following:

1. It covers medium and large entities from more sectors that are critical for the economy and society, including:
   • public electronic communications networks service providers;
   • digital service providers;
   • waste water and waste management service providers;
   • critical products manufacturers; and
   • postal and courier service providers.

It also covers more broadly the healthcare sector, for example by including medical device manufacturers, given the increasing security threats that arose during the Covid-19 pandemic. Under NIS II, in effect, all medium-sized and large entities operating within the applicable sectors or providing services covered by NIS II will fall within its scope;

2. It strengthens cybersecurity requirements imposed on companies (use of cryptography and encryption etc.);
3. It addresses security of supply chains and supplier relationships;
4. It introduces accountability of top management for non-compliance with cybersecurity obligations;
5. It streamlines reporting obligations:
   • any significant incidents will have to be reported, namely when an incident potentially causes severe operational disruption or financial losses for the entities concerned, or affects other natural or legal persons by causing considerable material or non-material losses;
   • where it is in the public interest to do so, regulators may inform the general public about a significant incident, or require the entity in question to do so;
   • entities in scope must notify the relevant regulator within 24 hours of becoming aware of a significant incident and provide a more detailed report within 72 hours. It is important to remember that the threshold for reporting under NIS II is different from the GDPR reporting threshold but that in many cases reports will have to be made under both regimes (with failure to report also being punishable under both); and
   • failure to implement security measures or report incidents can result in fines of up to 2% of the preceding year’s annual global turnover.
6. It introduces more stringent supervisory measures for national regulators, as well as stricter enforcement requirements;
7. It attempts to harmonize sanctions regimes across EU countries; and,
8. It increases information-sharing and cooperation on cyber crisis management at both the national and EU levels.

What’s next?

EU countries now have until 17 October 2024 to implement NIS II into their respective national laws, which must be applied from 18 October 2024.

What are the takeaways?

The expansion in scope under NIS II means that more entities and sectors will have to undertake cybersecurity risk management measures.

Post-Brexit the UK will of course not apply NIS II – but the UK may choose to introduce elements of NIS II in its own expected reforms of the NIS I regime. Organizations operating in the UK and the EU will however have to ensure compliance between what may eventually be two diverging regimes.

Organizations who are likely to fall under NIS II should consider:

1. Alerting the Board about NIS II and plan resources to address it;
2. Reviewing procedures to address risk assessment, response management, internal investigation, and, incident reporting;
3. Updating and/or revising policy documentation;
4. Reviewing contracts with vendors and adapt/introduce supply-chain NIS reporting obligations;
5. Undertaking training and developing internal cyber-security advocacy and awareness;
6. Re-evaluating and/or preparing a press strategy in the event of a breach;
7. Testing all of the above in a realistic real-time simulation such as Cordery Data Breach Academy (details at https://www.corderycompliance.com/cordery-data-breach-academy-2-2/) and,
8. Reassessing existing cyber-insurance or taking out a new policy.

Resources

We have written about the NIS regime here https://www.corderycompliance.com/eu-nis2-rules/ here https://www.corderycompliance.com/client-alert-nis-2-directive/, here https://www.corderycompliance.com/eu-network-information-security-directive-faqs/, here https://www.corderycompliance.com/uk-to-implement-eu-cybersecurity-directive/, and here https://www.corderycompliance.com/uk-government-response-to-cybersecurity-nis-digital-service-providers-consultation/.

We report about cyber security issues here: https://www.corderycompliance.com/category/cyber-security/.

We report about data protection and privacy issues here https://www.corderycompliance.com/category/data-protection-privacy/.

NIS II can be found here https://eur-lex.europa.eu/eli/dir/2022/2555.

For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH		André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784		Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com		Andre.bywater@corderycompliance.com