The NIS 2 Direc­ti­ve: con­tent and imple­men­ta­ti­on in practice

The Direc­ti­ve “con­cer­ning mea­su­res for a high com­mon level of secu­ri­ty of net­work and infor­ma­ti­on sys­tems across the Uni­on” (the NIS Direc­ti­ve for short) took effect in 2016. Due to the steady pro­gress of digi­tiz­a­ti­on and net­wor­king, and the pro­li­fe­ra­ti­on of cyber-risks, the EU Com­mis­si­on pre­pa­red an update of the NIS Direc­ti­ve some time ago. This update, the NIS 2 Direc­ti­ve, has been the sub­ject of tri­lo­gue nego­tia­ti­ons bet­ween the EU Com­mis­si­on, the EU Par­lia­ment and the Coun­cil sin­ce 13 Janu­a­ry 2022. The fol­lowing arti­cle will exp­lain what com­pa­nies should pre­pa­re for and which steps will have to be taken to imple­ment the Directive.

I. Mas­si­ve exten­si­on of the scope

Based on our cur­rent infor­ma­ti­on, the scope of the NIS Direc­ti­ve will be exten­ded signi­fi­cant­ly. The pro­po­sed new Direc­ti­ve will app­ly to com­pa­nies with more than 50 employees and annu­al reve­nues or total assets in excess of EUR 10 mil­li­on which belong to a sec­tor clas­si­fied as “essen­ti­al” or “important.” The defi­ni­ti­on of the sec­tors which are sub­ject to the Direc­ti­ve will also be mas­si­ve­ly exten­ded. For examp­le, the essen­ti­al “health care” sec­tor will now inclu­de not only health care pro­vi­ders, but also labo­ra­to­ries, medi­cal rese­arch and phar­maceu­ti­cals, as well as manu­fac­tu­rers of medi­cal devices. The defi­ni­ti­on of the essen­ti­al “digi­tal infra­st­ruc­tu­re” sec­tor will also be signi­fi­cant­ly exten­ded, and will now inclu­de cloud pro­vi­ders, data cen­ters and con­tent deli­very net­works. The sec­tors defi­ned as “important” will now inclu­de the ent­i­re indus­tri­al sec­tor, par­ti­cu­lar­ly manu­fac­tu­rers of medi­cal devices and com­pu­ters, as well as the mecha­ni­cal engi­nee­ring and mobi­li­ty sectors.

III. New requi­re­ments for com­pa­nies and seve­re fines

The NIS 2 Direc­ti­ve pro­vi­des for various risk manage­ment actions and repor­ting duties for com­pa­nies, and the natio­nal regu­la­to­ry aut­ho­ri­ties will be char­ged with super­vi­sing com­pli­an­ce and impo­sing pen­al­ties if necessa­ry. The requi­re­ments for risk manage­ment actions are spe­ci­fied in Arti­cle 18(2) of the NIS 2 Direc­ti­ve. They par­ti­cu­lar­ly inclu­de the crea­ti­on of risk ana­ly­sis and secu­ri­ty poli­ci­es for infor­ma­ti­on sys­tems, hand­ling inci­dents, dis­clo­sure of weak points and ensu­ring secu­ri­ty in the sup­ply chain. The Direc­ti­ve pro­vi­des for a dual repor­ting sys­tem. Once they beco­me awa­re of an inci­dent, com­pa­nies have 24 hours to trans­mit a preli­mi­na­ry report, fol­lo­wed by a final report no later than one mon­th after. The Direc­ti­ve also pro­vi­des for stric­ter regu­la­to­ry mea­su­res by the natio­nal aut­ho­ri­ties, as well as stric­ter enfor­ce­ment requi­re­ments. In par­ti­cu­lar, the aut­ho­ri­ties would have the opti­on of per­forming regu­lar assess­ments, inclu­ding on-site inspec­tions. The Direc­ti­ve also aims to intro­du­ce more con­sis­tent prac­ti­ces in the mem­ber sta­tes when it comes to impo­sing pen­al­ties. Aut­ho­ri­ties will be able to levy fines of up to EUR 10 mil­li­on or 2% of the company’s total glo­bal reve­nues, whiche­ver is higher.

IV. Recom­men­da­ti­on for companies

The drafts of the NIS Direc­ti­ve which have been publis­hed to date are non-binding. It remains to be seen what the final text of the Direc­ti­ve will be once the tri­lo­gue nego­tia­ti­ons are con­clu­ded. Once the Direc­ti­ve takes effect, the mem­ber sta­tes will be requi­red to imple­ment it wit­hin the pre­scri­bed imple­men­ta­ti­on peri­od. While the Com­mis­si­on set an imple­men­ta­ti­on peri­od of 18 mon­ths, the Coun­cil would pre­fer to give the mem­ber sta­tes 24 mon­ths ins­tead. Howe­ver, it is alrea­dy clear that the legal requi­re­ments with regard to cyber­se­cu­ri­ty will beco­me much stric­ter. At the same time, we can expect the imple­men­ta­ti­on peri­ods to be short given the limi­ted avai­la­bi­li­ty of cyber­se­cu­ri­ty experts and the expen­se asso­cia­ted with imple­men­ta­ti­on of tech­ni­cal and orga­niz­a­tio­nal impro­ve­ments. Com­pa­nies should the­re­fo­re con­si­der which new legal requi­re­ments they will have to satisfy as part of their cyber­se­cu­ri­ty com­pli­an­ce manage­ment sys­tem, and they should so by the time that the NIS 2 Direc­ti­ve is adop­ted at the latest.


Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.