Following an evaluation of the Directive on Security of Network and Information Systems (NIS I Directive), the European Union has adopted the Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148. A new approach, characterised by systemic and structural changes, was created, based on a new policy concept and set of options and measures, and an impact assessment of the proposed changes.
By December 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive.
In general, the draft NIS 2 Directive provides as follows:
introduces stricter supervisory measures for national authorities (retains the requirement to have a Computer Security Incident Response Team – CSIRT)
contains stricter requirements for legal enforceability
tightens cooperation and information sharing between Member States, including through the creation of a new body called the European Cyber Crises Liaison Organisation Network EU (CyCLONe) for the coordinated management of large-scale cybersecurity incidents and crises and to ensure the regular exchange of information between Member States and EU authorities
includes strengthening the security requirements for the companies subject to the rules by providing a minimum list of basic compulsory security elements and introducing more precise incident response reporting requirements
aims at harmonising sanctioning regimes across Member States (including fines of up to EUR 10,000,000 or up to 2% of a company’s total worldwide annual turnover) and
extending the period for Member States to transpose NIS 2 into national law to two years (from 18 months).
Unlike the NIS 1 Directive, it is intended to cover a broader range of industries (sectors), depending on their importance to the economy and society. It also intends to cover all medium and large enterprises in selected sectors, while allowing Member States to identify other (smaller) enterprises that have a high level of security risk.
At the same time the NIS 2 Directive is intended to abandon the distinction between basic service providers and digital service providers. Entities are now to be classified according to their importance and subject to different supervisory regimes. The proposed NIS 2 Directive aims to abolish the distinction between operators of essential services and providers of digital services and to explore a new approach to classification based on the importance of the service. This would allow for a lighter regime for services that are categorised as “essential” rather than “basic”.
Finally, it also intends to address security requirements, for example by introducing a list of measures including incident response, crisis management, vulnerability resolution and detection, cybersecurity testing and the effective use of encryption. Cybersecurity of supply chains for key information and communication technologies is to be strengthened. The responsibility of company management for compliance and risk management in the area of cyber security is to be adjusted. The obligation to report incidents is to be simplified by clarifying the provisions on the reporting process, its content and timing.
It also introduces a size limitation, which will mean that only medium and large companies in selected sectors will be included in the scope of NIS2, while retaining some flexibility for Member States to identify smaller entities with a high security risk profile. However, this exclusion of smaller companies will not apply universally, for example if the provider of a basic or essential service is a provider of public electronic communications networks or publicly available electronic communications services.
The scope of jurisdiction of the NIS 2 Directive will continue to be determined primarily by the Member State in which the provider has its main establishment, which will be considered to be the place where decisions are taken regarding cybersecurity risk management measures, rather than the place where the provider is established in the EU. If such decisions are not taken at any establishment in the EU, the principal establishment will be deemed to be the Member State in which the entities with the highest number of employees in the EU have an establishment; and if there are no such entities in the EU and the provider offers services in the EU, then a representative will need to be appointed for the purposes of the NIS.