Are you ready for NIS2 – new EU cyber law applies from 18 October

New European cyber law NIS2 must be implemented at local member state level by 18 October. Do you know if you are in scope (and if you are, what you need to do to comply)? 

Our briefing will help you understand who is in scope, the new rules NIS2 imposes on organisations, how it differs from the regime it is replacing and what steps you should be taking now to comply. 

What are the key differences between NIS2 and the original NIS regime?

NIS2 provides legal measures to boost the overall level of cybersecurity in the EU. It builds on the first NIS Directive, which aimed to improve the resilience of network and information systems in the EU against cybersecurity risks, focusing on essential services in key sectors and certain digital service providers. 

Following a review of the NIS Directive in 2020, the Commission concluded that it had helped improve the cybersecurity capabilities in Member States but failed fully to address current and emerging cybersecurity challenges. There were also significant divergences in the implementation of the original NIS Directive across Member States. 

As a result, the Commission proposed a revised directive, NIS2, which aims to improve on the existing cybersecurity regime. For example, it: 

• Expands the scope – NIS2 adds new sectors based on their degree of digitalisation and interconnectedness and how crucial they are for the economy and society. For example, managed service providers, food distributors, postal services and chemical producers are all now in scope. It also introduces a clear size threshold rule meaning all medium and large companies in the selected sectors will be in scope. There is, however, discretion for Member States to bring smaller entities with a high security risk profile in scope.
   
• Removes the distinction between operators of essential services and digital service providers that was found in the original NIS regime. Instead entities will be classified as either essential or important entities, with essential entities facing a stricter supervisory regime.
   
• Strengthens and streamlines the security and incident reporting/notification requirements. NIS2 imposes a risk management approach which lists out minimum security requirements. It also requires organisations to address cyber risk in their supply chains and provide an early warning notification within 24 hours of becoming aware of an incident.
   
• Establishes senior management liability and training obligations as part of its governance provisions.
   
• Introduces more stringent supervisory measures for national authorities and stricter enforcement requirements – it also aims to harmonise sanctions across Member States (although it is still a Directive requiring implementation at Member State level and not a directly effective Regulation).
   
• Introduces changes at European level, including increased information sharing and co-operation between Member State authorities and setting up an EU vulnerability database for publicly known vulnerabilities in ICT products and services. 

Our briefing sets out more information on the new sectors that are now in scope, the security rules and incident notification obligations organisations now face, as well as a checklist of steps organisations can take now to help comply. 

Comment

Given its broader scope, this new law will impact a wide range of organisations. Even if your organisation is not in scope, it is still useful to know your key ICT (and other critical) service providers are likely to be impacted. For those in scope, now is the time to take action (see our checklist of actions to take). 

If your organisation is already used to complying with an NIS regime, NIS2 is about checking your risk management, security, notification and training processes are still fit for purpose, and adjusting to the new governance and senior management liability provisions. If you are new to the regime, more work will be required to put these processes in place, possibly building on existing sector, or GDPR, processes and procedures. 

If your organisation operates across a number of jurisdictions, you will also have to look carefully at the specific local implementing laws in each relevant Member State. While part of the driver for NIS2 was to address issues caused by the significant divergences that existed in the original regime, it is not directly effective and relies on implementation by Member State governments. Divergence is therefore still likely to be an issue.