EU mandates higher cybersecurity and resilience across the Union

• On 28 November 2022 the Council of the European Union announced that it has adopted the Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (“NIS2 Directive”). This follows the European Parliament’s approval of NIS2 Directive on 10 November 2022.
• NIS2 Directive is expected to be published in the Official Journal of the European Union by the end of the year and will enter into force on the twentieth day following its publication. Member States will have 21 months from its entry into force to incorporate its provisions into their national law.
• The transposition term infuses false comfort, but a lot of organizations would have to revamp or at least substantially improve their existing processes and practices preserving at the same time the normal course of business and boosting their competitive edge. 

Changes introduces by the new law:

The legislation will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident handling (prevention, detection, and response to incidents), supply chain security, encryption and vulnerability disclosure, among others.

Member States are required to adopt a national cybersecurity strategy defining the strategic objectives and appropriate policy and regulatory measures with a view to achieving and maintaining a high level of cybersecurity. NIS2 Directive establishes a framework for Coordinated Vulnerability Disclosure and requires Member States to designate Computer security incident response teams (CSIRTs). NIS2 Directive establishes a Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence.

Which sectors and entities are in scope?

More public and private entities and sectors will have to take measures to build their cybersecurity and resilience. In addition to the sectors, covered by NIS Directive (energy, transport, banking, health, drinking water supply and distribution, digital infrastructure), new sectors falling within the scope of NIS2 are Space, Postal and courier service, Waste water & Waste management, Food production, Processing and distribution, manufacturing of certain critical products (i.e., pharmaceuticals, medical devices, chemicals), etc.

Importantly, NIS2 Directive introduces a size-cap rule. This means that all medium-sized and large entities operating within the sectors or providing services covered by NIS2 Directive shall fall within its scope. Some organizations shall also fall within its scope even if they do not meet the size-cap rule (for example, the entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities). NIS2 Directive shall apply to public administrations at central and regional level.

What to do if your entity falls within the scope of NIS2 Directive?

Management bodies of all entities within the scope of NIS2 Directive shall need to approve cybersecurity and resilience risk management measures, oversee their implementation and can be held liable for infringements. They shall also be required to follow cybersecurity-related training.

Obliged organizations shall have to take appropriate and proportionate technical and organizational measures to manage the cybersecurity risks posed to the security of network and information systems. The obliged organizations shall have to notify the national competent authorities or CSIRTs of any cybersecurity incident having a significant impact on the provision of the service they provide. Important to note is that the term for reporting is short. Where an organization becomes aware of a significant incident, it shall be required to submit an early warning without undue delay and in any event within 24 hours. That early warning shall be followed by an incident notification, submitted without undue delay and in any event within 72 hours of becoming aware of the significant incident. 

What will happen in cases of non-compliance with the new legislation?

Member States shall ensure that competent national authorities have the power to, among else, issue warnings to non-compliant organizations, issue binding instructions, impose administrative penalties. The entities may be subject to significant administrative fines of a maximum of at least EUR 10 000 000 or of a maximum of at least 2 % of the total worldwide annual turnover in the preceding financial year of the undertaking, to which the entity belongs.

Don’t delay action

The process of developing and implementing effective legal, compliance, technical and organizational rules, controls and solutions shall require dedicated efforts to identify potential gaps, areas of improvement and potential reorganization of internal processes and/or resources to become compliant and at the same time to preserve the organization’s competitive edge and reputation.