On 10 November 2022, the European Parliament approved the Network and Information Security 2 Directive (“NIS 2“), moving a step closer to expanding the scope of the Network and Information Security (“NIS“) Directive, the EU’s first cybersecurity legislation. NIS 2 builds on the NIS Directive adopted in 2016. The objective is that NIS 2 will cover a larger share of the EU economy and implement additional security and reporting requirements across EU states.
The European Council will have to formally adopt NIS 2 before it will be published in the EU’s Official Journal. EU member states will have 21 months to enact NIS 2 into national legislation once it has been published in the Official Journal – meaning it is possible that we could see NIS 2 in force in late 2024.
Who is NIS 2 likely to impact? One of the strategic goals of NIS 2 is to expand the scope of NIS to cover operators of essential services and digital service providers in sectors deemed “critical for the economy and society“. There has been a significant rise in attacks on supply chains over the past few years. The attacks demonstrated the potential impact of a widespread cyber event arising from a supplier’s security incident. NIS 2 will cover medium and large providers of public electronic communications services, digital services (covering social networking services platforms and data centre services) and healthcare services, including entities operating in the medical devices and life science sectors, specifically pharmaceutical research and development, plus medical device manufacturers.
“Essential” and “important” entities will also be required to register with the EU Agency for Cybersecurity (“ENISA“).
What measures will organisations impacted by NIS 2 need to take? NIS 2 will require “essential” and “important” entities to take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems used for their operations or the provision of their services. These entities will also need to prevent or minimise the impact of incidents on users or service recipients, as well as on other services which rely on them.
- implementing risk analysis and information system security policies;
- incident handling protocols; and
- business continuity plans, cybersecurity testing and auditing procedures and cybersecurity training, as well as introducing supply chain and network security measures, cryptography and encryption.
What are the incident reporting requirements? NIS 2 will also require “essential” and “important” entities to notify a competent authority without undue delay of any cybersecurity incident that has a “significant” impact on the provision of their services. Notably, the focus is not solely on personal data but on service delivery. This competent authority may be sector-specific as opposed to the national data protection authority, e.g., energy sector and telecoms regulators (such as the Commission de régulation de l’energie L’Autorité de régulation des communications électroniques, des postes et de la distribution de la presse and the Bundesnetzagentur – the equivalents of Ofcom and Ofgem in France and Germany). Therefore, for entities subject to both NIS 2 and the EU GDPR, a notification to both the relevant data protection authority and the competent regulatory authority under NIS 2 may be required in the event of an incident.
Entities will also need to notify their service recipients without undue delay where there may be an adverse effect on the provision of their services and will also need to assist those recipients in mitigating the impact of the incident.
What are the consequences for non-compliance under NIS 2? NIS 2 will introduce a fining regime for non-compliance. The potential maximum fines for non-compliance could reach either (i) €10 million or 2% of global annual turnover for “essential” entities or (ii) €7 million or 1.4% of global annual turnover for “important” entities.
Notably, where non-compliance with NIS 2 may also involve a personal data breach, fines will not be imposed under both the NIS2 and EU GDPR regimes, if the breach arises from the same security event.
Will NIS 2 impact organisations in the UK? As EU law, NIS 2 will not be implemented in the UK. However, on 30 November 2022, the UK government announced a proposal to expand the scope of the UK NIS Directive (“UK NIS“). The proposal suggests that some changes similar to NIS 2 can be expected.
- expanding the scope of the UK NIS to “Managed Service Providers”, i.e. B2B providers of services such as security monitoring, managed network services or the outsourcing of business processes which involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems;
- expanding the incident reporting requirements under UK NIS to include incidents which pose a significant risk to the security and resilience of the entities and the essential services they provide; and
- establishing a 2-tier supervisory regime for digital service providers in scope of UK NIS. The regime would have a proactive supervisory regime for the most critical digital services and a reactive supervisory regime for the remaining digital services under UK NIS.
The Proposals remain open for response until 10 April 2022.
Organisations which fall under the remittance of NIS 2 may be wary of legislation which imposes additional obligations, as well as two potentially concurrent reporting regimes, in the stressful environment of a cybersecurity incident.
However, while NIS 2 may make cybersecurity incidents with supply chain issues more complex to manage, the good news is that cyber preparedness can help to mitigate this burden – strong incident response plans, policies and procedures will assist organisations to comply with their obligations and can be critical in reducing the impact of a cybersecurity incident.
Organisations should see this new legislation as an opportunity to assess their current practices and put in place and maintain policies, procedures and training to comply with NIS 2 obligations and bolster their cybersecurity preparedness.