As many readers will be aware, the EU’s new cybersecurity directive, NIS2, imposes security, incident notification, and governance obligations on entities in a range of critical sectors, including energy, transport, finance, health, and digital infrastructure (for an overview of NIS2, see our previous post here). One of the main reasons the Commission proposed these new rules was the inconsistent manner in which Member States had implemented requirements under the prior directive, NIS. To help improve harmonization further, the Commission has now issued two guidance documents to help assess when NIS2 or sector-specific requirements apply, and to ensure that registration requirements are consistent across the Union.

Guidance on interplay with other cybersecurity laws

NIS2 applies across a range of sectors, some of which are already subject to sector-specific cybersecurity regulations. To avoid duplicating the obligations of entities operating in these sectors, NIS2 states that where an entity is subject to sector-specific obligations that are “at least equivalent in effect” to the substantive cybersecurity or incident notification obligations under NIS2, those NIS2 obligations will not apply (Art. 4). During the legislative process stakeholders debated what this means and how it should work in practice. The final text that was agreed last year sets out a test to measure when sector-specific rules should be considered to be equivalent in effect, and requires the Commission to provide guidelines clarifying the application of the rule.

The first guidance document that the Commission has published sets a high bar, noting, for example, that in assessing whether a sector-specific law’s obligations are equivalent, attention should be paid to all the requirements of NIS2. This includes whether entities are required to take a risk-based approach; whether the law addresses security across hardware, firmware and software; whether entities are required to take an “all-hazards” approach (e.g., considering natural hazards such as floods, rather than pure cyber hazards); and whether the law addresses the specific security risks identified in NIS2, such as business continuity, supply chain security, encryption, and access management.

Likewise, in relation to incident reporting obligations, the guidance document notes that NIS2 sets out multiple incident reporting obligations, each of which should be considered in assessing the equivalence of a sector-specific law. The sector-specific law would therefore need to replicate NIS2’s multi-tiered approach to the reporting of significant incidents with an initial “early warning” within 24 hours followed by intermediate reports and then a final report describing the root cause of the incident. NIS2 also requires notifications to service recipients.

Based on the considerations described above, the Commission concludes that Regulation 2022/2554 (the Digital Operational Resilience Act, or DORA) – a financial services sector specific cybersecurity regulation – is the only law that is “equivalent in effect” to NIS2.

Helpfully, the guidance recognizes that where the NIS2 risk management and incident reporting obligations do not apply to an entity, other linked NIS2 obligations such as the obligation to register information (described in the second guidance document, described below) should also not apply.

Guidance on the information to be provided to Member State authorities

NIS2 requires EU Member States to maintain a register of the “essential” and “important” entities in their Member State. Member States must also provide the list of digital infrastructure providers (such as cloud services providers) to ENISA.

The second guidance document issued by the Commission sets out a template for companies to provide this information to the competent authority in their Member State. The template largely restates the specific requirements listed in NIS2, i.e., information such as each entity’s name, contact details, IP addresses, sector, and the EU member states in which the entity operates. However, the existence of the template gives covered entities a starting point for their submissions.

Next steps

As it is a directive, NIS2 does not apply directly to covered entities.  Instead, Member States must transpose it into their national law by 18 October 2024. In the meantime, companies will need to assess whether the services they provide fall within scope of NIS2 and, if so, begin assessing their security controls and policies against NIS2 obligations. 

*********

The Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, including on NIS and NIS2. If you have any questions about how NIS2 will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to assist.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.