Expansion of the scope
Under NIS 1, Member States were left to determine which entities met the criteria for designation as operators of essential services. This inevitably led to inconsistent and therefore unsatisfactory application of its provisions. NIS 2 addresses this shortcoming by introducing a size cap rule based on Commission Recommendation 2003/361/EC, as the general rule for identifying regulated entities. According to this rule, all medium and large enterprises operating or providing services in the sectors covered by NIS 2 in the EU fall within the scope of NIS 2.
Small and micro enterprises also fall within the scope of NIS 2 in exceptional cases, e.g. if they are the sole provider in a Member State of a service that is essential for maintaining critical activities. Certain providers of digital services are even covered by NIS 2 regardless of their size.
In addition, NIS 2 significantly extends the scope of NIS 1 to new sectors and entities, which are now classified as "essential" and "critical".
Thus, NIS 2 not only removes the classification and distinction between operators of essential services and digital service providers, but also massively expands the group of organisations that fall within its scope. This scope now goes far beyond the well-known critical infrastructures and includes some sectors not covered by the previous directive, such as postal and courier services, data centre services, wastewater and waste management, as well as manufactures of certain critical services such as pharmaceuticals, medical devices and chemicals.
Increased liability of management bodies
NIS 2 now explicitly requires Member States to ensure that management bodies approve cybersecurity risk-management measures of in-scope entities, oversee their implementation and participate in specialised cybersecurity training. Most importantly, managers may now be held personally liable for infringements.
Cybersecurity and resilience are thus explicitly made boardroom issues that will have a direct impact on the corporate governance of the companies concerned. From the draft transpositions already published by some Member States, it can be concluded that delegation of these tasks to third parties will probably not be allowed. The development of a minimum level of passion for cybersecurity by the management bodies will therefore be unavoidable in the future.
Sanctions for non-compliance
This is especially true since NIS 2 provides for Member States to impose fines for non-compliance similar to those imposed under the GDPR. Depending on whether an entity is considered "essential" or "important", fines for non-compliance may amount to
- the greater of EUR 10m or 2 % of the company's total global annual turnover in the preceding financial year; or
- the greater of EUR 7m or 1.4 % of the company's total global annual turnover in the preceding financial year.
In addition, national implementing measures may provide for the temporary suspension of managers.
Member States must adopt and publish the measures necessary to comply with NIS 2 by 17 October 2024. These measures will apply from 18 October 2024.
Companies should therefore assess as soon as possible whether (and to what extent) they are subject to NIS 2 and, if so, ensure that they have sufficient (external) resources to successfully meet all implementation requirements in time. Early implementation offers the opportunity to identify risks in a timely manner and to take the right measures to address them, which will ultimately contribute significantly to the success of the company.
author: Felix Schneider