NIS2: what cybersecurity compliance means for companies in Europe

Diana Ștețiu
Diana Ștețiu

Organisations providing essential services in the European Union (EU) will soon face tougher cybersecurity regulation than ever, with the threat of more and greater fines or withdrawal of license to operate if they do not comply. If you are an important or essential entity in EU, you have time until 17 October 2024 to implement obligations listed in the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, known as the “NIS 2 Directive,” or “NIS2”.

What is NIS2?

NIS2 is the latest legislation that provides guidance and legal measures to boost cybersecurity and resilience within organisations of the European Union. NIS2, which replaced the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS1), aims to eliminate divergences in implementing the repealed NIS1.

NIS2 has a wider scope of application

NIS2 expands the scope of its predecessor NIS1 to include EU-based organisations involved in a wide assortment of critical products and services, as well as others doing business in the EU.

NIS2 applies to a wide range of sectors, such as healthcare, transport and energy providers. Supermarkets, water management companies and digital providers should also prepare for the obligations in the NIS2. The NIS2 Directive includes sectors of high criticality and other critical sectors. There are 11 sectors of high criticality: energy, transport, banking, financial market infrastructure, healthcare, drinking water, waste water, digital infrastructure, ICT services management, public administration and space. In addition, NIS2 has 7 other critical sectors: postal and courier services, waste management, chemical industry, food industry, manufacturing industry, digital providers, research. Both public and private entities that operate within the EU that fall under any of these sectors must implement risk management measures and comply with cybersecurity reporting requirements.

Under NIS1, obligations are placed on “operators of essential services” (OESs) and relevant “digital service providers” (DSPs). However, NIS2 removes the distinction between OESs and DSPs, which the Commission considered obsolete on the basis that it does not reflect the actual importance of the sectors or services for the societal and economic activities in the internal market. NIS2 now classifies in-scope entities based on their importance (i.e. depending on the sector they operate in) and divides them into “essential entities” and “important entities”.

An organisation is considered an essential entity if it is large and operating in one of the 11 sectors of high criticality, such as energy, transport, healthcare and financial services. An organisation is large if it has: (i) a minimum of 250 employees or (ii) an annual turnover of more than EUR 50 million and a balance sheet total of more than EUR 43 million or (iii) both.

If organisations are designated as a critical entity under the Critical Entities Resilience Directive (CER) of the European Union (Directive (EU) 2022/2557), they are automatically considered essential entities under NIS2 as well. These are medium-sized organisations that operate in any of the 11 sectors of high criticality and have: (i) a minimum of 50 employees or (ii) an annual turnover and balance sheet total of more than EUR 10 million or (iii) both.

Medium-sized and large organisations operating in any of the 7 other critical sectors also qualify as important entities. These include, for instance, waste management, postal and courier services, and manufacturers of medical devices.

Summary on criteria that determine which organisations must comply with NIS 2

There are three general criteria that define which organisations must comply with NIS 2:

1. Geography — if they provide services or carry out activities in any country of the European Union (no matter if the organisation providing the services is based in the EU or not), and

2. Size — if they are mid-sized or large organisations (as explained above), and

3. Industry — if they operate in any of the 18 sectors (11 sectors of high criticality and 7 other critical sectors) mentioned above.

Micro and small organisations also need to be compliant with NIS2 Directive if they are entities of a type referred to in Annex I or II of NIS2 Directive, where:

(a) services are provided by:

(i) providers of public electronic communications networks or of publicly available electronic communications services;

(ii) trust service providers;

(iii) top-level domain name registries and domain name system service providers;

(b) the entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities;

(c) disruption of the service provided by the entity could have a significant impact on public safety, public security or public health;

(d) disruption of the service provided by the entity could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact;

(e) the entity is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State.

Risk-based approach

NIS2 adopts a more risk-based approach to cybersecurity, requiring organisations to assess and manage risks effectively rather than adhering to one-size-fits-all security measures. NIS2 introduces a comprehensive set of risk management practices that both essential and important entities need to implement, including:

– incident handling;

– business continuity, such as backup management and disaster recovery, and crisis management;

– supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

NIS2 emphasises the importance of supply chain security, meaning that businesses that are not directly caught by NIS2 could be indirectly impacted, because in-scope entities are encouraged to incorporate cybersecurity risk management measures into their contractual arrangements with their supply chains.

– security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

– basic cyber hygiene practices and cybersecurity training;

– the use of multi-factor authentication or continuous authentication solutions.

NIS2 also states that entities should have:

– policies on risk analysis and information system security;

– policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

– policies and procedures regarding the use of cryptography and, where appropriate, encryption;

– human resources security, access control policies, and asset management.

NIS2 requirements on management

NIS2 imposes new obligations on management bodies. According to Article 20, the top management of essential and important entities: (i) must approve cybersecurity measures that need to be implemented in the company, (ii) must oversee their implementation, and (iii) can be held liable if cybersecurity is not implemented properly.

Articles 32 and 33 further emphasise the liability of the legal representatives of essential entities and important entities.

Without identifying nonconformities during an internal audit, the senior management would never have a complete picture of the state of cybersecurity, which could lead to incidents and liability.

Penalties in NIS2

In terms of administrative fines under NIS2, when essential entities and important entities infringe the cybersecurity risk-management measures or the reporting obligations, for essential entities, the maximum administrative fine amount is the higher of 2% of the global annual turnover in the previous financial year or at least 10 million euros. Moreover, for significant entities, the maximum administrative fine amount is the higher of 1.4% of the global annual turnover in the previous financial year or at least 7 million euros. Penalties may also include periodic fines to force entities to cease violations. When multiple member states are involved, competent authorities must provide mutual assistance in enforcement, with joint supervisory actions possible, and the European Commission being granted the power to adopt delegated and implementing acts.

Directors of organisations subject to NIS2 can face personal liability if they neglect to take suitable measures ensuring compliance with the cybersecurity standards under NIS2. This liability may stem from directorial negligence in overseeing the security of network and information systems, resulting in significant incidents or breaches. Moreover, liability can arise when directors fail to ensure their organisation’s adherence to the specified obligations laid out in NIS2, including conducting risk assessments, incident reporting and cooperation with national authorities.

Compliance measures checklist

The implementation process into national legislation is ongoing, but governments across the EU have advised businesses to take preparatory measure. For organisations embarking on the journey of NIS2 compliance, we recommend adhering to these actionable steps for a successful approach:

STEP 1: Risk assessment

– Perform comprehensive risk assessments to pinpoint vulnerabilities and threats which are unique to your business.

– Develop and execute tailored risk management strategies aligned with your business.

– Consider digital risks capable of disrupting business continuity, prioritize critical business interests, and incorporate existing protective measures into assessments.

STEP 2: Review the supply chain security

– Evaluate the cybersecurity practices of suppliers and partners.

– Explore methods to ensure compliance with necessary security standards, such as revising existing contracts, integrating new cybersecurity clauses into standard agreements, and establishing protocols for routine inspections and audits.

– Additionally, contemplate diversifying the supply chain to minimize vulnerability to single points of failure.

STEP 3: Develop incident response plan

– Create a comprehensive incident response plan detailing protocols for promptly detecting, reporting, and mitigating cybersecurity incidents.

STEP 4: Security by design

– Integrate cybersecurity into the conception and crafting of products and services.

– Integrate security measures throughout every phase of the product lifecycle.

STEP 5: Employee training

– Create and perform training sessions for staff regarding optimal cybersecurity practices and foster a culture of heightened security awareness within the organisation.

Entrusting NIS 2 compliance solely to individuals like your IT administrator, with no formal authority, is overly simplistic and risky. Success hinges not only on having implementation milestones, outcomes, and delegated responsibilities, but also on adopting a project-oriented approach by the senior management of your company.

On a general note, our recommendation is to stay updated on NIS2 developments and carefully track draft implementation acts related to NIS2. When feasible, consider offering input on the draft acts elaborated by the national authorities during consultation periods. Since NIS 2 is a directive, this means that each EU country will define its own cybersecurity laws based on NIS 2, whereas NIS 2 specifies the minimum level of cybersecurity to be achieved. In practice, this means that companies in some countries will have to comply with the minimum specified in NIS 2, and in other countries they will have to comply with more strict cybersecurity requirements specified in local laws. The Member States are now required to transpose NIS2 into national law by 17 October 2024.

In Romania, on 30 April 2024, Directoratul Național de Securitate Cibernetică, as the designated authority for implementing NIS2, invited the stakeholders to submit an initial set of proposals regarding the transposition of certain aspects outlined in NIS2 into national legislation. See link below:

We hope this article will be useful for organisations looking to learn more about how to protect themselves against cyber threats and how to comply with the NIS2 Directive.

Diana Stetiu, Managing Partner Diana Stetiu FinTech Law Office