Today, October 18, is the deadline for Member States to start to apply “NIS2” under national laws. NIS2 is the new cybersecurity law that builds on requirements under the prior NIS Directive. As previously reported, key elements of NIS2 include:

  • Broader scope of application – it covers a wide range of sectors, including energy, transport, digital infrastructure, health, manufacturing, and pharma, among others.
  • Stricter cybersecurity obligations – it imposes stricter security and incident reporting obligations; covered entities must implement a minimum set of security measures and notify competent authorities of a “significant” incident within 24 hours of becoming aware of it.
  • Stricter obligations on management – NIS2 imposes direct obligations on “management bodies” for the implementation of adequate cybersecurity measures within covered entities, including throughout the supply chain. 
  • Enhanced enforcement and stiffer penalties – regulators have a wide range of powers and can impose severe fines in case of non-compliance—up to €10 million or 2% of a global turnover.

For more detailed information, please see our previous blog posts here and here.

Despite today’s deadline, most EU Member States—other than Belgium, Croatia, Hungary, Italy, Latvia and Lithuania—have not yet transposed NIS2 into national law. Some Member States (e.g., Czechia, Finland, Germany) have published draft laws that are going through the legislative process, and many others are still working on a bill (e.g., Denmark, France, Ireland, the Netherlands, Spain). This state of affairs certainly complicates compliance planning for multinationals, although most are rightly focusing on core controls and procedures that will help organizations demonstrate compliance across the EU.

Another late development is the European Commission’s announcement yesterday regarding the first implementing act that sets out detailed cybersecurity risk management and incident reporting requirements for companies that provide digital services, e.g., cloud computing, data center service providers, online marketplaces, and social networking platforms. Our previous blog post here described an earlier draft and provides a flavor, although this has been amended in some important ways in relation to what constitutes a “significant” and therefore reportable incident (e.g., a vague criteria relating to reputational impact thankfully has been deleted, and guidance around what it means to “become aware” of an incident has been added). Some of these criteria are going to be challenging to apply in practice (especially during an incident), and impacted companies will need to review the details of this implementing act carefully.

Going forward, organizations that are preparing for NIS2 should keep an eye on national implementing laws, the competent authorities designated to supervise its implementation, and any further secondary legislation from the European Commission.

*                      *                      *

The Data Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, including on NIS, NIS2, and other cyber-related regulations. If you have any questions about how NIS2 will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to assist.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” has “great insight into the regulators;” and “is technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 20 years of experience, Mark specializes in:

Providing practical guidance and advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services.
Handling complex regulatory investigations and enforcement actions involving data privacy regulators in the UK, EU and globally, and advising on follow-on litigation risk.
Helping clients respond to cybersecurity incidents, including ransomware, supply chain incidents, state-sponsored attacks, insider threats, personal data breaches, and IP and trade secret theft.
Advising various clients on the EU NIS2 Directive, Cyber Resilience Act (CRA), and other emerging EU, UK, and global cybersecurity laws and regulations.
Advising life sciences companies on industry-specific data privacy issues, including clinical trials, pharmacovigilance, and digital health products and services.
Advising on data privacy compliance in relation to employees and international transfers of data in connection with white collar investigations.
Providing strategic advice and advocacy on a range of UK and EU technology law reform issues relating to data privacy, cybersecurity, eIDs, and software.
Representing clients in connection with references to the Court of Justice of the EU.

Read more about Mark YoungEmail
Show more Show less