The Directive “concerning measures for a high common level of security of network and information systems across the Union” (the NIS Directive for short) took effect in 2016. Due to the steady progress of digitization and networking, and the proliferation of cyber-risks, the EU Commission prepared an update of the NIS Directive some time ago. This update, the NIS 2 Directive, has been the subject of trilogue negotiations between the EU Commission, the EU Parliament and the Council since 13 January 2022. The following article will explain what companies should prepare for and which steps will have to be taken to implement the Directive.
I. Massive extension of the scope
Based on our current information, the scope of the NIS Directive will be extended significantly. The proposed new Directive will apply to companies with more than 50 employees and annual revenues or total assets in excess of EUR 10 million which belong to a sector classified as “essential” or “important.” The definition of the sectors which are subject to the Directive will also be massively extended. For example, the essential “health care” sector will now include not only health care providers, but also laboratories, medical research and pharmaceuticals, as well as manufacturers of medical devices. The definition of the essential “digital infrastructure” sector will also be significantly extended, and will now include cloud providers, data centers and content delivery networks. The sectors defined as “important” will now include the entire industrial sector, particularly manufacturers of medical devices and computers, as well as the mechanical engineering and mobility sectors.
III. New requirements for companies and severe fines
The NIS 2 Directive provides for various risk management actions and reporting duties for companies, and the national regulatory authorities will be charged with supervising compliance and imposing penalties if necessary. The requirements for risk management actions are specified in Article 18(2) of the NIS 2 Directive. They particularly include the creation of risk analysis and security policies for information systems, handling incidents, disclosure of weak points and ensuring security in the supply chain. The Directive provides for a dual reporting system. Once they become aware of an incident, companies have 24 hours to transmit a preliminary report, followed by a final report no later than one month after. The Directive also provides for stricter regulatory measures by the national authorities, as well as stricter enforcement requirements. In particular, the authorities would have the option of performing regular assessments, including on-site inspections. The Directive also aims to introduce more consistent practices in the member states when it comes to imposing penalties. Authorities will be able to levy fines of up to EUR 10 million or 2% of the company’s total global revenues, whichever is higher.
IV. Recommendation for companies
The drafts of the NIS Directive which have been published to date are non-binding. It remains to be seen what the final text of the Directive will be once the trilogue negotiations are concluded. Once the Directive takes effect, the member states will be required to implement it within the prescribed implementation period. While the Commission set an implementation period of 18 months, the Council would prefer to give the member states 24 months instead. However, it is already clear that the legal requirements with regard to cybersecurity will become much stricter. At the same time, we can expect the implementation periods to be short given the limited availability of cybersecurity experts and the expense associated with implementation of technical and organizational improvements. Companies should therefore consider which new legal requirements they will have to satisfy as part of their cybersecurity compliance management system, and they should so by the time that the NIS 2 Directive is adopted at the latest.back