The NIS 2 is the Commission's response to the inconsistent and fragmented implementation of the NIS Directive (EU) 2016/1148 ("NIS 1") by the Member States, which has been criticised on several occasions by stakeholders and the Commission itself.
The revision of this first piece of EU-wide legislation on cybersecurity comes with significant and far-reaching changes for entities in "critical" sectors.
a. Extension of the scope
Under the NIS 1, Member States were responsible for determining which entities met the criteria to be classified as operators of essential services. The NIS 2 addresses this deficiency by introducing a size cap rule as a general rule for determining regulated entities. This rule is based on Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises and stipulates that all medium-sized and large companies operating or providing services in the sectors covered by the NIS 2 fall within its scope. Small enterprises and microenterprises are only covered by the NIS 2 under exceptional circumstances, e.g. if they are the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities or if they provide domain name registration services.
Furthermore, the NIS 2 extends the scope of the NIS 1 to new sectors and entities classified as
- "essential" entities, such as
- operators of hydrogen production, storage and transmission;
- undertakings collecting, disposing of or treating urban wastewater; and
- domestic wastewater or industrial wastewater
as well as
- "important" entities, such as
- postal and courier services providers;
- undertakings carrying out waste management;
- undertakings carrying out the manufacture, production and distribution of chemicals;
- food businesses engaged in wholesale distribution and industrial production and processing;
- manufacturers of (i) medical devices and in vitro diagnostic medical devices, (ii) electrical equipment, and (iii) motor vehicles, trailers and semi-trailers, and digital service providers.
The NIS 2 thus eliminates the classification of and differentiation between operators of essential services – so called "OEDs" – and digital service providers – so called "DSPs". Instead, the NIS 2 provides different rules for "essential entities" and "important entities".
The NIS 2 only excludes entities performing activities in areas such as defence or national security, public safety and law enforcement as well as the judiciary, parliaments and central banks.
b. Responsibility of management bodies
The NIS 2 now explicitly requires Member States to ensure that management bodies approve their cybersecurity risk-management measures, oversee their implementation and may be held liable for infringements. Furthermore, they must participate in specialised cybersecurity training.
The NIS 2 further requires entities within its scope to conduct supply chain security assessments and take "appropriate and proportionate technical and organisational measures" to manage security risks to the network and information systems these entities use in delivering their services.
In addition, the NIS 2 introduces more precise provisions for the procedure and timelines for reporting (significant) incidents to CSIRTs, along with enhanced supervisory measures for national authorities and stricter enforcement requirements.
In particular, the NIS 2 imposes reporting obligations in phases, where the initial notification ("early warning") must be made within 24 hours of the significant incident coming to light. This early warning must be followed by an "incident notification" (within 72 hours) and a "final" report (within one month after the submission of the incident notification).
d. Sanctions for non-compliance
The NIS 2 provides that Member States will impose fines for non-compliance similar to those under the GDPR. Depending on whether an entity is considered "essential" or "important", fines for non-compliance may amount to
- a maximum of at least EUR 10m or a maximum of at least 2 % of the company's total global annual turnover in the preceding financial year; or
- a maximum of at least EUR 7m or a maximum of 1.4 % of the company's total global annual turnover in the preceding financial year.
The NIS 2 will enter into force on 16 January 2023. Member States must adopt and publish the measures necessary to comply with this Directive by 17 October 2024 and must apply them from 18 October 2024.
Consequently, entities covered by the NIS 2 should address its provisions and strive to implement them as soon as possible.