The NIS 2 Direc­ti­ve: con­tent and imple­men­ta­ti­on in practice

The Direc­ti­ve “con­cer­ning mea­su­res for a high com­mon level of secu­ri­ty of net­work and infor­ma­ti­on sys­tems across the Uni­on” (the NIS Direc­ti­ve for short) took effect in 2016. Due to the ste­ady pro­gress of digi­tiza­ti­on and net­wor­king, and the pro­li­fe­ra­ti­on of cyber-risks, the EU Com­mis­si­on pre­pared an update of the NIS Direc­ti­ve some time ago. This update, the NIS 2 Direc­ti­ve, has been the sub­ject of tri­lo­gue nego­tia­ti­ons bet­ween the EU Com­mis­si­on, the EU Par­lia­ment and the Coun­cil sin­ce 13 Janu­ary 2022. The fol­lo­wing artic­le will explain what com­pa­nies should prepa­re for and which steps will have to be taken to imple­ment the Directive.

I. Mas­si­ve exten­si­on of the scope

Based on our cur­rent infor­ma­ti­on, the scope of the NIS Direc­ti­ve will be exten­ded signi­fi­cant­ly. The pro­po­sed new Direc­ti­ve will app­ly to com­pa­nies with more than 50 employees and annu­al reve­nues or total assets in excess of EUR 10 mil­li­on which belong to a sec­tor clas­si­fied as “essen­ti­al” or “important.” The defi­ni­ti­on of the sec­tors which are sub­ject to the Direc­ti­ve will also be mas­si­ve­ly exten­ded. For exam­p­le, the essen­ti­al “health care” sec­tor will now include not only health care pro­vi­ders, but also labo­ra­to­ries, medi­cal rese­arch and phar­maceu­ti­cals, as well as manu­fac­tu­r­ers of medi­cal devices. The defi­ni­ti­on of the essen­ti­al “digi­tal infra­struc­tu­re” sec­tor will also be signi­fi­cant­ly exten­ded, and will now include cloud pro­vi­ders, data cen­ters and con­tent deli­very net­works. The sec­tors defi­ned as “important” will now include the enti­re indus­tri­al sec­tor, par­ti­cu­lar­ly manu­fac­tu­r­ers of medi­cal devices and com­pu­ters, as well as the mecha­ni­cal engi­nee­ring and mobi­li­ty sectors.

III. New requi­re­ments for com­pa­nies and seve­re fines

The NIS 2 Direc­ti­ve pro­vi­des for various risk manage­ment actions and report­ing duties for com­pa­nies, and the natio­nal regu­la­to­ry aut­ho­ri­ties will be char­ged with super­vi­sing com­pli­ance and impo­sing pen­al­ties if neces­sa­ry. The requi­re­ments for risk manage­ment actions are spe­ci­fied in Artic­le 18(2) of the NIS 2 Direc­ti­ve. They par­ti­cu­lar­ly include the crea­ti­on of risk ana­ly­sis and secu­ri­ty poli­ci­es for infor­ma­ti­on sys­tems, hand­ling inci­dents, dis­clo­sure of weak points and ensu­ring secu­ri­ty in the sup­p­ly chain. The Direc­ti­ve pro­vi­des for a dual report­ing sys­tem. Once they beco­me awa­re of an inci­dent, com­pa­nies have 24 hours to trans­mit a preli­mi­na­ry report, fol­lo­wed by a final report no later than one month after. The Direc­ti­ve also pro­vi­des for stric­ter regu­la­to­ry mea­su­res by the natio­nal aut­ho­ri­ties, as well as stric­ter enforce­ment requi­re­ments. In par­ti­cu­lar, the aut­ho­ri­ties would have the opti­on of per­forming regu­lar assess­ments, inclu­ding on-site inspec­tions. The Direc­ti­ve also aims to intro­du­ce more con­sis­tent prac­ti­ces in the mem­ber sta­tes when it comes to impo­sing pen­al­ties. Aut­ho­ri­ties will be able to levy fines of up to EUR 10 mil­li­on or 2% of the company’s total glo­bal reve­nues, whi­che­ver is higher.

IV. Recom­men­da­ti­on for companies

The drafts of the NIS Direc­ti­ve which have been published to date are non-binding. It remains to be seen what the final text of the Direc­ti­ve will be once the tri­lo­gue nego­tia­ti­ons are con­cluded. Once the Direc­ti­ve takes effect, the mem­ber sta­tes will be requi­red to imple­ment it within the pre­scri­bed imple­men­ta­ti­on peri­od. While the Com­mis­si­on set an imple­men­ta­ti­on peri­od of 18 months, the Coun­cil would pre­fer to give the mem­ber sta­tes 24 months ins­tead. Howe­ver, it is alre­a­dy clear that the legal requi­re­ments with regard to cyber­se­cu­ri­ty will beco­me much stric­ter. At the same time, we can expect the imple­men­ta­ti­on peri­ods to be short given the limi­t­ed avai­la­bi­li­ty of cyber­se­cu­ri­ty experts and the expen­se asso­cia­ted with imple­men­ta­ti­on of tech­ni­cal and orga­niza­tio­nal impro­ve­ments. Com­pa­nies should the­r­e­fo­re con­sider which new legal requi­re­ments they will have to satis­fy as part of their cyber­se­cu­ri­ty com­pli­ance manage­ment sys­tem, and they should so by the time that the NIS 2 Direc­ti­ve is adopted at the latest.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.