NIS2 Directive

NIS2 represents a pivotal advancement in fostering cybersecurity and bolstering resilience across Europe's digital landscape, are you ready?

What is NIS2?

Directive (EU) 2022/2555 (‘NIS2’) is EU-wide legislation on cybersecurity that provides legal measures to increase the overall level of cybersecurity in the EU.

NIS2 takes effect across the EU from 18 October 2024.

Public and private sector organisations must now determine its impact on their current cybersecurity posture, identify their compliance roadmap and understand the far reaching consequences of non-compliance – which includes stricter supervision and enforcement, administrative fines and personal responsibility for upper management.

Why the need for NIS2?

NIS2’s predecessor, Directive (EU) 2016/1148 (‘NIS-D’), came into force in 2016 and was the first horizontal EU law aimed at improving the resilience of network and information systems in the EU against cybersecurity risks. NIS-D has shown certain limitations in light of unprecedented digitalisation in recent years. NIS2 aims to address these shortcomings through national cybersecurity strategies, enhanced co-operation and information sharing between Member States, increased risk management and incident reporting obligations, and stricter regulatory supervision and enforcement.

Who does NIS2 apply to?

Generally, NIS2 applies to public and private sector entities that provide certain critical services or critical infrastructure, qualify as medium-sized or a large-sized enterprises and which provide their services or conduct their activities within the EU. However, some entities will be subject to the new rules regardless of their size and Member States may bring other entities within the scope of NIS2. Also, a covered entity’s supply chain may be indirectly affected by NIS2. One of the most important elements of the NIS2 Directive are policies, processes and controls for assessing supply chain security that includes third party risk and fourth party risk.

What major changes does NIS2 bring?

• More sectors in scope: NIS2 expands the scope of NIS-D by adding new sectors based on their degree of digitalisation and interconnectedness and how critical they are for society and economies. Clear size thresholds have been introduced so that all medium and large-sized organisations in selected sectors (including the public sector) will be in scope. Exemptions are available, and organisations should carefully consider their availability and whether other sectoral rules apply to them. Does your company have over 50 employees or an annual turnover of €10 million? If so, you may be one of the thousands of companies affected by NIS2.
  
  It is estimated that NIS2 will impact over 100,000 organizations across the EU in addition to those already within the scope of NIS-D, as it increases the scope from seven sectors to eighteen:

• New categorisations: NIS2 removes the NIS-D distinction between ‘operators of essential services’ and ‘digital services providers’. Under NIS2, entities are classified by importance and divided into the categories of ‘essential’ and ‘important’ entities, which will be subjected to different regulatory supervision and enforcement measures, including different maximum thresholds for administrative fines.
  
• Personal responsibility: NIS2 introduces personal responsibility for members of management of essential and important entities for failure to comply with cybersecurity risk management requirements. In certain circumstances, a competent authority may, in respect of essential entities only, require the temporary prohibition of a person responsible for discharging managerial responsibilities at CEO or legal representative level in the essential entity from exercising managerial functions.
  
• Enhanced regulatory supervision: NIS2 sets out new powers of supervision that competent authorities must have, including powers to conduct on-site inspections, off-site supervision, random checks, regular and targeted security audits, ad hoc audits, security scans, requests for information, access to data and evidence of implementation of cybersecurity policies.
• Enforcement, fines and offences: NIS2 sets out new powers of enforcement that competent authorities must have. Most significantly is the introduction of administrative fines that can be imposed on entities if they breach certain requirements.
  • For essential entities: administrative fines of a maximum of at least €10,000,000 or a maximum of at least 2% of the total worldwide annual turnover in the previous financial year of the undertaking to which the essential entity belongs, whichever amount is higher.
    
  • For important entities: administrative fines of a maximum of at least €7,000,000 or a maximum of at least 1.4% of the total worldwide annual turnover in the previous financial year of the undertaking to which the important entity belongs, whichever amount is higher.
    

We expect Irish transposing legislation to set out various offences attracting criminal penalties to include fines and/or possible imprisonment.

• Stricter risk management requirements: NIS2 strengthens and streamlines security and reporting requirements for organisations by imposing a risk management approach, which sets out a minimum list of basic security considerations that must be implemented – for example: policies on risk analysis and information system security, incident handling, business continuity and supply chain security. Each of these must be assessed against organisations’ current processes, which must ‘without undue delay’ take all necessary, appropriate and proportionate corrective measures.
  
• Enhanced incident notification requirements: NIS2 introduces strict rules on the process for incident reporting, content of the reports and timelines. In addition to reporting to the local CSIRT, entities may need to report incidents to recipients of their services. Heightened obligations apply when reporting so-called ‘significant incidents’ which includes phased notification commencing with an ‘early warning’ within 24 hours of becoming aware of same.
  
• ICT supply chains and supplier relations: NIS2 requires individual organisations to address cybersecurity risks in their own ICT supply chains, as well as within supplier relationships. NIS2 will indirectly impact suppliers that do not fall within its scope but which provide products and/or services to entities regulated by NIS2. Member States, in cooperation with the European Commission and ENISA, may conduct EU-wide coordinated security risk assessments of critical supply chains.
  
• Registration with supervisory authority: In-scope entities will need to assess their categorisation under NIS2 and provide the competent authorities certain information to be included in Member State's registries of entities. The timeline to do this is generally before 17 April 2025. However, some entities will need to do this before 17 January 2025.

NIS2 - Actions to take now

• Determine whether your organisation is regulated by NIS2: Organisations operating in the sectors defined in NIS2 will need to assess whether they fall within its scope, the availability of any exemptions, their categorisation as ‘essential’ or ‘important’, their NIS2 obligations and the impact on their current cybersecurity compliance framework.
• Determine what Member State laws apply to your organisation: NIS2 jurisdiction rules require careful consideration, and may cause certain entities to rethink the geographic positioning of cyber decision making. Certain types of entities that are not established in the EU, but which offer their services within the EU, must designate a ‘Representative’ established in one of the Member States where its services are offered.
  
• Determine what other EU cybersecurity laws apply to your organisation: NIS2 is part of an overall EU cyber strategy, and is just one of several EU-wide cyber-related laws that in-scope organisations will need to build into their compliance frameworks. Organisations must understand how all existing and impending EU data, cybersecurity and technology laws are intertwined, so that a holistic approach can be taken when designing and implementing compliance strategies.
  
• Review your organisation’s incident response procedures: Evaluating your organisation's incident response procedures is crucial for ensuring effective handling of cybersecurity breaches. Organisations should regularly review and update incident response processes to align with evolving threats and technology, and verify communication channels, assign clear responsibilities, and conduct realistic drills to enhance preparedness. This ongoing assessment ensures a robust NIS2 response framework, safeguarding against potential cyber threats and minimising the impact of security incidents on your organisation.
• Review your organisation’s cybersecurity risk management procedures: Regularly review and update cybersecurity risk management processes to address evolving threats and vulnerabilities. Analyse potential weaknesses in the current risk system and implement robust measures to safeguard sensitive information. Foster a culture of awareness and vigilance among team members to enhance overall cybersecurity resilience and mitigate potential risks.
  
• Review your organisation’s Third-Party Risk Management (TPRM) processes: Assess your organisation's TPRM processes thoroughly to enhance security and NIS2 compliance. Evaluate vendor relationships, assess potential vulnerabilities, and ensure robust risk mitigation strategies are in place. Regularly update and adapt TPRM to align with industry best practices, minimising potential threats and optimising overall operational resilience. Regular reviews are essential for maintaining a proactive approach to safeguarding sensitive information and maintaining stakeholder trust.
  
• Review your culture and ways of working to identify risks to NIS2 compliance: Understanding the culture and ways of working in your organisation is a key step in determining the risks your organisation may face in complying with NIS2. The introduction of previous EU regulation such as GDPR has shown that behavioural change is a core facet of risk mitigation and ensuring that individual actions do not expose your organisation to avoidable risks and penalties. Given the introduction of ‘personal responsibility’ as part of NIS2, addressing the behavioural change requirements of management will form a core building block of an effective strategy to respond to the introduction of NIS2.

How can EY help to prepare your organisation for NIS2?

• Whether NIS2 applies to your organisation and whether exemptions may apply.
• Identifying other EU cybersecurity laws that may apply to your organisation and their impact.
  
• How to navigate NIS2 jurisdiction rules, harnessing ‘one-stop-shop’ efficiencies and satisfying any requirement for an EU-based representative.
  
• Legal and technical assessment and gap-analysis of your organisation’s existing cybersecurity risk management and incident reporting measures and designing your roadmap to compliance.
  
• Assessing ICT and other supply chains and your current contractual frameworks.
  
• Assist your organisation to fulfil registration obligations before 17 January 2025 or 17 April 2025, depending on services your organisation provide.