NIS 2 Directive: an increased scope for a safer and cybercrime-free Union?

The NIS 2 Directive (EU 2022/2555 on measures for a high common level of cybersecurity across the Union) entered into force on 16 January 2023, amends the eIDAS Regulation (EU 910/2014) and replaces the current NIS 1 Directive (EU 2016/1148).

What are the main objectives and key changes of this new nis 2 directive?

The new NIS 2 Directive aims at further improving the resilience and incident response capacities of both the public and private sectors and focuses on cybercrime and European and national cybersecurity management.

The main shortcoming of the NIS 1 Directive was that it led to a fragmented application of the European scheme throughout the Member States, which the NIS 2 Directive tries to correct, notably by setting a coherent framework for all supervisory and enforcement activities across Member States and for sanctions across the Union.

The key highlights of the NIS 2 Directive are the following:

1. Increasing the accountability of the C-level (by imposing direct obligations on the management in respect of compliance obligations, in particular to approve the cybersecurity risk-assessment);

2. Increasing the level of cyber resilience in a comprehensive way for entities operating in the EU across all relevant sectors (the NIS 2 Directive contains a list of mandatory measures to be taken, such as business continuity measures, cybersecurity training, policies on risk analysis and information system security, etc.);

3. The obligation to notify the competent authority (in case of any incident having a significant impact of the provision of the services) and the recipients of the services (if such an incident is likely to adversely affect the provision of those services) within very strict timeframes;

4. The creation of GDPR-like fines (up to 10,000,000 EUR or 2% of the total annual worldwide turnover – whichever is higher);

5. The establishment of a framework for a better cooperation and information sharing between Member States and competent authorities (to improve the awareness and the collective capability to prepare and respond to the cyber threats).

Who is covered by the scope of this new nis 2 directive?

The scope of entities covered by the NIS 2 Directive is larger than the NIS 1 Directive and focuses on sectors that are either “essential” (e.g. energy, transport, banking, health, digital infrastructure, public administration, space) or “important” (e.g. postal services, digital providers, electronics, food, chemicals, waste management, etc).

Even though there are specified exceptions, generally, all large and medium-sized organizations in the selected sectors, whether public or private, would fall under the legislation (i.e. companies having more than 50 employees and an annual turnover greater than 10 million euros).

The NIS 2 Directive also includes alternative criteria to be within the scope as well as an exhaustive list of IT services providers such as online marketplaces, search engines, cloud computing, data center and content delivery networks that will be governed by the NIS 2 Directive without any quantitative thresholds.

It is also interesting to note that the scope is not limited to companies established in the EU but also affects companies located outside of the EU provided that they have an activity within the EU (e.g. social media, search engines, etc).

The typical risk-based approach should a minima include the following considerations:

  • Risk analysis and assessment of cyber threats;
  • Detection and remediation of vulnerabilities of products or IT services that can be used for committing a cyber crime;
  • Consideration of risks associated with the critical supply chain (subcontractors, suppliers, etc.);
  • Cyber threat detection at earliest (i.e. any event compromising the availability, authenticity integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems))
  • Cyber threat management (i.e. the prevention, detection, identification, containment, analysis and response to incidents).

What are the next steps?

National parliaments of Member States shall adopt and publish necessary measures in order to implement this Directive into their respective national law by 16 October 2024.

What should i do in the meantime?

  • Check whether your organization falls within the scope of the NIS 2 Directive;
  • Audit your existing processes, policies and cybersecurity measures to identify any gap;
  • Review your agreements with subcontractors, in particular supply chains;
  • Inform the management and your staff about the new obligations and train them.

For further information, please contact the members of our Tech and IP team. 

Audrey Rustichelli
Deputy Managing Partner, Avocat à la Cour au Barreau de Luxembourg, PwC Legal

Nicolas Hamblenne
Counsel, Avocat liste IV au barreau de Luxembourg, PwC Legal