The European Commission has published on 16 January 2023 the final text of the NIS2 Directive - high common level of cybersecurity across the Union, which means that by 17 October 2024 Luxembourg and other member states, must adopt and publish a national legislation incorporating the provisions of the NIS2.
Below are some key take-aways on what to expect from the NIS2 implementation.
NIS2 introduces a size-cap rule, increasing its scope to all medium and large-sized entities in 11 different sectors, specified in Annex 1 of the Directive, such as:
1. Energy
2. Transport
3. Banking
4. Financial market infrastructure
5. Health
6. Drinking water
7. Waste water
8. Digital infrastructure
9. ICT service management
10. Public administration
11. Space
Unlike NISD 1, NIS2 no longer mentions operators of essential services (OES) or digital services providers (DSPs). Instead it defines requirements for two new categories of entities; Essential and Important. The list of Essential and Important entities will be kept by the European Union Agency for Cybersecurity (ENISA).
NIS2 details cyber risk measures that need to put in place. The requirements are different for Essential and Important entities. While essential services should have an ex-ante supervisory regime (e.g., on-site inspections and off-site supervision, random checks, audits and requests for evidence of implementation of cybersecurity policies) important entities are not systematically required to document compliance with cybersecurity risk management requirements.
Both Essential and Important entities shall take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of their network and information systems. In practice, it means that the entities in scope should:
NIS2 also amends incident reporting requirements and imposes notification obligations in phases:
Administrative fines of up to 10 million EUR or 2% of the total global annual turnover of the company can be levied for non-compliance with the Directive. In addition to the fines, penalties can include binding instructions to bring security measures in line with NIS2 requirements as well to implement the recommendations of a security audit. In case of significant cyber threat is likely the entities can be also requested to inform their service recipients of the threat itself. Least but not last, the NIS2 makes it possible to hold natural persons representing Essential Entities liable for a breach of their duties to ensure compliance with the Directive.
Deloitte can help to create a roadmap for implementation of compliance measures for risk management, aligning it with other applicable regulations applicable to your organization.