The new EU-wide cyber law, Directive 2022/2555 (NIS2), entered into force on Monday, January 16, 2023. NIS2 builds on the original NIS Directive but significantly expands the categories of organizations that fall within the scope of the law, imposes new and more granular security and incident reporting rules, and creates a stricter enforcement regime. Member states now have until October 18, 2024 to transpose the new directive into their respective national laws.

The passage of NIS2 sets the stage for 2023 to be another big year for cybersecurity in Europe. We expect the global cyber threat landscape to remain challenging and the regulatory landscape to become even more complex due to a raft of new laws including the Cyber Resilience Act (which we covered here), the Critical Entities Resilience Directive (see our post here), the Digital Operational Resilience Act (DORA) (focused on financial services), and the UK’s ongoing reforms to its Network and Information Systems Regulations.

In this blog post, we summarize the key elements of NIS2 and describe what they will mean for your cybersecurity program this year.

NIS2 in brief

NIS2 replaces Directive 2016/1148 (NIS), which was passed in 2016 and was the first “horizontal” (i.e., cross-sector) cybersecurity law in the EU. As we previously reported:

  1. NIS2 significantly expands the categories of entities within scope; a wide range of entities that did not fall under NIS – such as manufacturers of chemicals and medical devices, food processors, and social network providers – will now fall within the scope of NIS2.
  2. The new law no longer distinguishes between “operators of essential services” and “digital service providers”; instead, it distinguishes between “essential entities” and “important entities” based on the sector and size of the operators. The same substantive obligations apply to both essential and important entities, but essential entities are subject to stricter enforcement and oversight obligations (described below).
  3. NIS2 imposes new cybersecurity obligations on “essential” and “important” entities in relation to risk management (including supply chain risk management), reporting of cyber incidents, and information sharing; covered entities will need to implement new processes and policies to comply with these new obligations.
  4. Covered entities can be subject to various enforcement orders and significant fines for non-compliance. In order to give cybersecurity requirements even more “bite”, NIS2 introduces obligations and personal liability for “management bodies”, such as company boards and executives.
  5. In addition, the new law requires EU member states to enhance their national cybersecurity strategies and respond to digital threats – covered entities should be attentive to upcoming member state initiatives in this space.

Where sector-specific EU laws require essential or important entities to adopt cybersecurity measures or to notify incidents, and where those requirements are “at least equivalent in effect” to the obligations laid down in NIS2, the sector-specific requirements will apply.

Who does NIS2 apply to?

NIS2 applies to a wide range of “essential entities” and “important entities” summarized in the following table. More sectors are within the scope of the new law compared to the original NIS.  Organizations will need to carefully assess each category to determine whether NIS2 applies to them.

Essential Entities Size threshold: varies by sector, but generally 250 employees, annual turnover of € 50 million or balance sheet of € 43 millionImportant Entities Size threshold: varies by sector, but generally 50 employees, annual turnover of € 10 million or balance sheet of € 10 million
energyall of the sectors listed under “essential entities” (see left column) and within the size threshold for “important entities”
transportpostal and courier services
banking and financial marketswaste management
healthmanufacture, production and distribution of chemicals
Water (drinking and waste)production, processing and distribution of food
digital infrastructure (including cloud computing service providers) and ICT service managementManufacturing (e.g., of medical devices and various other equipment)
public administrationdigital providers such as online marketplaces, search engines and social networks
spaceresearch

Even if an entity does not meet the size threshold, the entity can still be designated as “essential” or “important” in limited circumstances, such as where the entity is the “sole provider” in a member state of a service that is critical to societal or economic activity.

EU member states have until April 2025 to establish a list of essential and important entities.

What does NIS2 require entities to do?

Technical and organizational cybersecurity measures

Just like NIS, NIS2 requires essential and important entities to take technical, operational and organizational measures to manage risks to their network and information systems, and to minimize the impact of potential incidents on users of the entity’s service.

However, NIS2 also introduces a requirement to implement baseline security measures to address specific risks. These include implementing policies on risk analysis and information security, incident handling, business continuity, supply chain security, information systems development practices including vulnerability disclosure, cryptography, encryption, and multifactor authentication. Member states may also prescribe the use of specific ICT products, services, and processes that have been certified under the Cybersecurity Act.

Corporate accountability

NIS2 requires that management bodies oversee, approve, and be trained on, the cybersecurity measures taken by the entity they manage. Management bodies and personnel are also exposed to significant potential penalties, including being held liable for their organization’s breaches of NIS2 and being temporarily banned from acting as a manager. NIS2 does not define who is considered a member of a “management body”, though we expect it to include boards of directors and some executives; individual member states’ implementations of NIS2 may provide further clarity on this issue.

Incident reporting obligations

As the Commission summarized in its press release, NIS2 seeks to “streamline incident reporting obligations with more precise provisions on reporting, content and timeline.” Essential and important entities are required to notify the relevant EU member state authority of any incident that has a “significant impact” on the provision of their services or on the recipients of those services. NIS2 introduces specific deadlines for the notification using a tiered approach under which entities must provide:

  1. an “early warning” within 24 hours of becoming aware of the incident, which indicates whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;
  2. an “incident notification” within 72 hours of becoming aware of the incident which, in addition to the information provided in the “early warning”, provides an initial assessment of the incident’s severity, impact, and indicators of compromise; and
  3. a “final report” within 1 month after the submission of the incident notification, which includes a detailed description of the incident including the incident’s root cause.

Entities also need to notify service recipients who may be affected by a significant cyber threat “without undue delay”, including setting out any measures or remedies the service recipients can take in response to the cyber incident.

Since a reportable incident under NIS2 may also be a personal data breach under the EU General Data Protection Regulation (GDPR), NIS2 provides that competent authorities must inform data protection authorities without undue delay of any incident that under the GDPR would be considered a notifiable personal data breach. If the data protection authorities decide to impose a fine against the entity that suffered the incident for violating the GDPR, the NIS2 competent authorities may not impose a fine for that same incident under NIS2, in order to prevent double-punishment. The NIS2 competent authorities may, however, still impose other enforcement measures such as ordering the entities concerned to implement the recommendations of a security audit within a reasonable deadline or make public aspects of the infringements.

Register of critical entities and top-level domain database

For technology infrastructure sectors such as domain name registry providers and IT managed service providers, ENISA will collate registrations and maintain a European database of entities in these sectors. NIS2 also requires internet top-level domain name registrars to maintain a database enabling the holder of any individual domain name to be contacted.

Which regulators will be competent and what enforcement powers will they have?

As a general rule, essential and important entities should fall under the jurisdiction of the member state in which they are established. Cloud computing services providers and other digital infrastructure providers shall be under the jurisdiction of the member state in which they have their “main establishment” in the EU.

As a rule, the “main establishment” is the establishment in the member state where the decisions related to the cybersecurity risk-management measures are predominantly taken. If such a member state cannot be determined or if such decisions are not taken in the EU, then the main establishment will be that of the member state where cybersecurity operations are carried out. If, again, such a member state cannot be determined, the main establishment will be that of the member state where the entity concerned has the establishment with the highest number of employees in the EU.

In addition, essential or important entities not established in the EU will need to designate an EU representative established in one of the member states where the services are offered.

Compared to NIS, NIS2 provides more detailed rules on the powers of national authorities responsible for the cybersecurity supervision and enforcement tasks. The investigation and supervision powers available to regulators include:

  • on-site inspections;
  • security audits;
  • requests for information to assess cybersecurity measures adopted by the entity;
  • security scans; and
  • requests to access information to assess cybersecurity risk-management measures, evidence of implementation of cybersecurity policies and data, documents and other information.

In general, NIS2’s investigation powers allow essential entities to be investigated at any time, including through regular audits and random inspections, whereas important entities can only be investigated ex post (that is, after an incident occurs).

NIS2 also provides for heavy penalties for non-compliance. These include fines of €10 million or 2% of global turnover (whichever is higher) for essential entities and €7 million or 1.4% of global turnover (whichever is higher) for important entities. Supervisory authorities will also be able to impose a range of non-monetary remedies including compliance orders, binding instructions, orders to implement security audit findings, and orders to inform people (e.g. the entity’s customers) about cyber threats.

Next steps

Member states will now begin to transpose NIS2 into their national law to meet the October 18, 2024 deadline for transposition.

Before NIS2 comes into force, companies will need to:

  • assess whether they provide any services or conduct any activities that are captured by the Directive and if so, which subsidiaries or business units are affected;
  • begin assessing their security controls and preparing amendments to their security, risk management and incident response policies to achieve and document their compliance with NIS2;
  •  “flow through” new security controls and incident response obligations to their suppliers given the explicit requirement in NIS2 to address supply chain risk and the new incident reporting obligations. This process is often time-consuming so it is best to start it as soon as possible.

*                      *                      *

The Data Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, including on NIS, NIS2, and other cyber-related regulations. If you have any questions about how NIS2 will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to assist.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Bart Szewczyk Bart Szewczyk

Having served in senior advisory positions in the U.S. government, Bart Szewczyk advises on European and global public policy, particularly on technology, economic sanctions and asset seizure, trade and foreign investment, business and human rights, and environmental, social, and governance issues, as well…

Having served in senior advisory positions in the U.S. government, Bart Szewczyk advises on European and global public policy, particularly on technology, economic sanctions and asset seizure, trade and foreign investment, business and human rights, and environmental, social, and governance issues, as well as conducts international arbitration. He also teaches grand strategy as an Adjunct Professor at Sciences Po in Paris and is a Nonresident Senior Fellow at the German Marshall Fund.

Bart recently worked as Advisor on Global Affairs at the European Commission’s think-tank, where he covered a wide range of foreign policy issues, including international order, defense, geoeconomics, transatlantic relations, Russia and Eastern Europe, Middle East and North Africa, and China and Asia. Previously, between 2014 and 2017, he served as Member of Secretary John Kerry’s Policy Planning Staff at the U.S. Department of State, where he covered Europe, Eurasia, and global economic affairs. From 2016 to 2017, he also concurrently served as Senior Policy Advisor to the U.S. Ambassador to the United Nations, Samantha Power, where he worked on refugee policy. He joined the U.S. government from teaching at Columbia Law School, as one of two academics selected nationwide for the Council on Foreign Relations International Affairs Fellowship. He has also consulted for the World Bank and Rasmussen Global.

Prior to government, Bart was an Associate Research Scholar and Lecturer-in-Law at Columbia Law School, where he worked on international law and U.S. foreign relations law. Before academia, he taught international law and international organizations at George Washington University Law School, and served as a visiting fellow at the EU Institute for Security Studies. He also clerked at the International Court of Justice for Judges Peter Tomka and Christopher Greenwood and at the U.S. Court of Appeals for the Third Circuit for the late Judge Leonard Garth.

Bart holds a Ph.D. from Cambridge University where he studied as a Gates Scholar, a J.D. from Yale Law School, an M.P.A. from Princeton University, and a B.S. in economics (summa cum laude) from The Wharton School at the University of Pennsylvania. He has published in Foreign Affairs, Foreign Policy, Harvard International Law Journal, Columbia Journal of European Law, American Journal of International Law, George Washington Law Review, Survival, and elsewhere. He is the author of three books: Europe’s Grand Strategy: Navigating a New World Order (Palgrave Macmillan 2021); with David McKean, Partners of First Resort: America, Europe, and the Future of the West (Brookings Institution Press 2021); and European Sovereignty, Legitimacy, and Power (Routledge 2021).

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.