The cybersecurity legal landscape continues to evolve and businesses and the latest development is the NIS2 Directive, which came into force on 16 January 2023. Companies will have to comply with its requirements from 18 October 2024. With a focus on fortifying Europe's defences against cyber threats, the Directive mandates stringent cybersecurity measures, affecting a multitude of sectors. While the initial NIS Directive laid the groundwork, NIS2 aims to address its gaps, broaden its scope, and reinforce security through more stringent regulations.
The Essential 10 Security Measures
NIS2 emphasizes that organizations should undertake suitable and balanced risk management strategies to avoid cybersecurity incidents and mitigate their repercussions. Outlined in the Directive are 10 fundamental security measures that every organization under NIS2’s scope needs to take. Take a moment to audit your organization's current practices against the following checklist:
Is Your Business Impacted?
NIS2 has expanded its scope to cover more sectors than its predecessor. Sectors such as district heating and cooling, wastewater, data centre service providers, and content delivery network providers, among others, now come under scrutiny. The new NIS2 Directive covers 18 different sectors, with subsectors.
If your business falls within these sectors and meets the size test of a large or medium enterprise, then NIS2 will apply. Smaller entities with fewer than 50 employees and revenue of €10 million or less, and micro-enterprises with fewer than 10 employees and revenue of €2 million or less, are not immediately covered by NIS2. However, they may be included by individual countries based on the significance of their services to society.
Essential vs. Important Entities - Why does it matter?
Determining whether your organization is classified as essential or important primarily depends on its size. Both categories must meet the same security requirements, but the intensity and nature of their supervision differ. Essential entities are proactively supervised. Important entities are audited post-incident or if evidence suggests non-compliance. Correct classification is therefore crucial.
New Onus on C-level Executives
In many areas of compliance involving an IT element, there is a tendency in some organizations to consider that compliance is the responsibility of the IT department alone. However, NIS2 places a higher burden on C-level executives, who are expected to take a proactive role in ensuring their organizations are compliant with the new requirements. In particular, NIS2 requires management to actively oversee, endorse, receive training on, and address potential cybersecurity threats facing their organizations. If they neglect these duties, they could face significant consequences, which may include suspension or restrictions on holding managerial roles.
Employee Training and Preparedness
Training is paramount. NIS2 stresses the importance of a well-informed workforce. Continuous training programmes, regular threat updates, and breach drills are needed. This ensures that every layer of the organization is prepared and vigilant.
Reporting Obligations
NIS2’s detailed reporting requirements calls for quick incident recognition; initial reporting within 24 hours; detailed reports within 72 hours; and comprehensive accounts, including mitigation actions, within a month.
Financial Implications and Penalties
Beyond infrastructure and training investments, businesses must anticipate penalties. Essential entities can face fines of up to €10,000,000 or 2% of their previous year's global revenue. Important entities could see fines of up to €7,000,000 or 1.4% of their previous year’s global revenue. This should be taken into account in risk assessment models and in a company’s insurance arrangements.
Include the Supply Chain
Of course, each organization’s security is often only as strong as the weakest external link, especially in the digital field. Supply chain security is therefore also critical. Organizations must ensure not only their own compliance, but also that of their direct suppliers and partners. Regular audits, supplier cybersecurity training, and contractual security clauses will become standard.
Non-EU Entities: The Extra Mile
For entities outside the EU but serving its market, compliance with NIS2 remains important. Such organizations should acquaint themselves with the directive, have an EU representative, and ensure branch compliance.
Conclusion
Companies covered by NIS2 will have to comply with the new requirements from October 2024. Steps therefore need to be taken now. From C-level executives to suppliers, everyone will have to play a part: compliance will involve prompt, proactive adaptation, training, and strategic foresight. Finally, even for organizations which are not covered by NIS2, it makes sense to take proportionate and effective measures to ensure digital security.
This article provides a general overview only and does not constitute legal advice which can be relied on by a specific company. For further information, please contact the author at lezcano@thecontractcentre.com
The Essential 10 Security Measures
NIS2 emphasizes that organizations should undertake suitable and balanced risk management strategies to avoid cybersecurity incidents and mitigate their repercussions. Outlined in the Directive are 10 fundamental security measures that every organization under NIS2’s scope needs to take. Take a moment to audit your organization's current practices against the following checklist:
- Develop focused risk analysis and system security policies.
- Establish strong incident response mechanisms.
- Have a business continuity plan, covering backup, disaster recovery, and crisis handling.
- Safeguard interactions with main suppliers and service providers to ensure Supply Chain Security.
- Emphasize system procurement, development, and vulnerability management.
- Create methods to assess cybersecurity risk management efficiency.
- Maintain core cyber practices and regular training.
- Set guidelines on cryptographic practices and encryption where necessary.
- Blend human resource security with asset management and access control.
- Adopt advanced authentication, secured communications, and emergency systems.
Is Your Business Impacted?
NIS2 has expanded its scope to cover more sectors than its predecessor. Sectors such as district heating and cooling, wastewater, data centre service providers, and content delivery network providers, among others, now come under scrutiny. The new NIS2 Directive covers 18 different sectors, with subsectors.
If your business falls within these sectors and meets the size test of a large or medium enterprise, then NIS2 will apply. Smaller entities with fewer than 50 employees and revenue of €10 million or less, and micro-enterprises with fewer than 10 employees and revenue of €2 million or less, are not immediately covered by NIS2. However, they may be included by individual countries based on the significance of their services to society.
Essential vs. Important Entities - Why does it matter?
Determining whether your organization is classified as essential or important primarily depends on its size. Both categories must meet the same security requirements, but the intensity and nature of their supervision differ. Essential entities are proactively supervised. Important entities are audited post-incident or if evidence suggests non-compliance. Correct classification is therefore crucial.
New Onus on C-level Executives
In many areas of compliance involving an IT element, there is a tendency in some organizations to consider that compliance is the responsibility of the IT department alone. However, NIS2 places a higher burden on C-level executives, who are expected to take a proactive role in ensuring their organizations are compliant with the new requirements. In particular, NIS2 requires management to actively oversee, endorse, receive training on, and address potential cybersecurity threats facing their organizations. If they neglect these duties, they could face significant consequences, which may include suspension or restrictions on holding managerial roles.
Employee Training and Preparedness
Training is paramount. NIS2 stresses the importance of a well-informed workforce. Continuous training programmes, regular threat updates, and breach drills are needed. This ensures that every layer of the organization is prepared and vigilant.
Reporting Obligations
NIS2’s detailed reporting requirements calls for quick incident recognition; initial reporting within 24 hours; detailed reports within 72 hours; and comprehensive accounts, including mitigation actions, within a month.
Financial Implications and Penalties
Beyond infrastructure and training investments, businesses must anticipate penalties. Essential entities can face fines of up to €10,000,000 or 2% of their previous year's global revenue. Important entities could see fines of up to €7,000,000 or 1.4% of their previous year’s global revenue. This should be taken into account in risk assessment models and in a company’s insurance arrangements.
Include the Supply Chain
Of course, each organization’s security is often only as strong as the weakest external link, especially in the digital field. Supply chain security is therefore also critical. Organizations must ensure not only their own compliance, but also that of their direct suppliers and partners. Regular audits, supplier cybersecurity training, and contractual security clauses will become standard.
Non-EU Entities: The Extra Mile
For entities outside the EU but serving its market, compliance with NIS2 remains important. Such organizations should acquaint themselves with the directive, have an EU representative, and ensure branch compliance.
Conclusion
Companies covered by NIS2 will have to comply with the new requirements from October 2024. Steps therefore need to be taken now. From C-level executives to suppliers, everyone will have to play a part: compliance will involve prompt, proactive adaptation, training, and strategic foresight. Finally, even for organizations which are not covered by NIS2, it makes sense to take proportionate and effective measures to ensure digital security.
This article provides a general overview only and does not constitute legal advice which can be relied on by a specific company. For further information, please contact the author at lezcano@thecontractcentre.com