The NIS 2 Directive (EU 2022/2555 on measures for a high common level of cybersecurity across the Union) entered into force on 16 January 2023, amends the eIDAS Regulation (EU 910/2014) and replaces the current NIS 1 Directive (EU 2016/1148).
The new NIS 2 Directive aims at further improving the resilience and incident response capacities of both the public and private sectors and focuses on cybercrime and European and national cybersecurity management.
The main shortcoming of the NIS 1 Directive was that it led to a fragmented application of the European scheme throughout the Member States, which the NIS 2 Directive tries to correct, notably by setting a coherent framework for all supervisory and enforcement activities across Member States and for sanctions across the Union.
The key highlights of the NIS 2 Directive are the following:
1. Increasing the accountability of the C-level (by imposing direct obligations on the management in respect of compliance obligations, in particular to approve the cybersecurity risk-assessment);
2. Increasing the level of cyber resilience in a comprehensive way for entities operating in the EU across all relevant sectors (the NIS 2 Directive contains a list of mandatory measures to be taken, such as business continuity measures, cybersecurity training, policies on risk analysis and information system security, etc.);
3. The obligation to notify the competent authority (in case of any incident having a significant impact of the provision of the services) and the recipients of the services (if such an incident is likely to adversely affect the provision of those services) within very strict timeframes;
4. The creation of GDPR-like fines (up to 10,000,000 EUR or 2% of the total annual worldwide turnover – whichever is higher);
5. The establishment of a framework for a better cooperation and information sharing between Member States and competent authorities (to improve the awareness and the collective capability to prepare and respond to the cyber threats).
The scope of entities covered by the NIS 2 Directive is larger than the NIS 1 Directive and focuses on sectors that are either “essential” (e.g. energy, transport, banking, health, digital infrastructure, public administration, space) or “important” (e.g. postal services, digital providers, electronics, food, chemicals, waste management, etc).
Even though there are specified exceptions, generally, all large and medium-sized organizations in the selected sectors, whether public or private, would fall under the legislation (i.e. companies having more than 50 employees and an annual turnover greater than 10 million euros).
The NIS 2 Directive also includes alternative criteria to be within the scope as well as an exhaustive list of IT services providers such as online marketplaces, search engines, cloud computing, data center and content delivery networks that will be governed by the NIS 2 Directive without any quantitative thresholds.
It is also interesting to note that the scope is not limited to companies established in the EU but also affects companies located outside of the EU provided that they have an activity within the EU (e.g. social media, search engines, etc).
The typical risk-based approach should a minima include the following considerations:
National parliaments of Member States shall adopt and publish necessary measures in order to implement this Directive into their respective national law by 16 October 2024.
For further information, please contact the members of our Tech and IP team.
Deputy Managing Partner, Avocat à la Cour au Barreau de Luxembourg, PwC Legal
Tel: +352 26 48 42 35 98
Counsel, Avocat liste IV au barreau de Luxembourg, PwC Legal
Tel: +352 26 48 42 35 58