NIS2 Directive
The EU Network and Information Security (NIS) directive was the first piece of EU-wide legislation on cybersecurity that came into force in 2016. However, to address the limitations identified within the current framework and to respond to the growing cybersecurity threats in the EU in the wake of digitalization and Covid-19, the European Commission has replaced the NIS Directive with the NIS2 Directive that introduces more stringent supervisory measures for national authorities, stricter enforcement requirements, and aims at harmonizing sanctions regimes across Member States. The NIS2 Directive entered into force on January 16, 2023, and the Member States have 21 months, until October 17, 2024, to transpose the directive into national law.
The NIS2 Directive aims to strengthen security requirements in the EU by expanding its scope to more sectors and entities; taking into account measures like risk analysis and information system security policies, incident handling, and supply chain security; and streamlining reporting obligations, among others. In case of non-compliance, NIS2 requires member states to provide for hefty penalties: €10 million or 2% of global turnover (whichever is higher) for essential entities and €7 million or 1.4% of global turnover (whichever is higher) for important entities. NIS2 imposes direct obligations on the management bodies for implementation and supervision of their organization’s compliance with the legislation. Non-compliance could potentially lead to the imposition of a temporary ban from discharging managerial responsibilities on the senior management of the entity, including the C-Suite level executives.
NIS2 Directive requirements
- Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
- Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems based on :
a) policies on risk analysis and information system security;
b) incident handling;
c) business continuity, such as backup management and disaster recovery, and crisis management;
d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct
suppliers or service providers;
e) security in network and information systems acquisition, development and maintenance, including vulnerability
handling and disclosure;
f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
g) basic cyber hygiene practices and cybersecurity training;
h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
i) human resources security, access control policies and asset management;
j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text
communications and secured emergency communication systems within the entity, where appropriate. - Starting from the 18th October 2024, all NIS2 entities are required to notify the CCB about significant incidents, i.e. any incident that has a significant impact on the provision of their services and that:
> has caused or is capable of causing severe operational disruption of the services or financial loss for the entity
concerned
> has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material
damage
