NIS2: How starting your compliance journey now will safeguard your future

New EU cybersecurity directive NIS2 will help strengthen cybersecurity and organisational resilience in this digital age.

In brief

• NIS2’s legislative scope extends to 18 sectors, including public bodies, research organisations and certain food and manufacturing organisations. 
• Organisations will have to address cybersecurity risks in their own ICT supply chains. Early assessments of suppliers and contractual enhancements will be key.
• Breach of obligations could mean large fines, for example ‘essential entities’ may face fines of a maximum of at least €10,000,000 or 2% of the total worldwide annual turnover in the previous financial year.

The intense uptake of digital solutions and innovative technologies over the past four years has changed the way we socialise, work, shop, bank, and receive necessary services, such as health. As sectors and services increasingly become interconnected and interdependent, the cybersecurity threat landscape continues to grow in sophistication and focus.

Safeguarding critical infrastructures and services is paramount to protect society and economies from these actors. In response, EU lawmakers have introduced several interconnected EU-wide laws to improve the digital and operational resilience of the sectors and services we rely on most. 

The second Network and Information Systems Directive (Directive (EU) 2022/2555 (‘NIS2’) is one of these EU-wide laws. It comes into effect on 18 October 2024 and will have a compliance impact on many public and private sector organisations, across 18 sectors, similar to that experienced under the GDPR. The regulatory supervision and enforcement measures under NIS2 bear similarities to the GDPR. However, direct accountability and liability for upper management and possible suspension of CEO duties, brings this squarely into the board room.

NIS2 is an evolution from its predecessor NIS-D, extending the legislative scope to capture entities in a number of additional sectors and sub-sectors, including public bodies and a wider range of digital service providers, as well as covered entities’ ICT supply chains.

NIS2 sets out the minimum powers of supervision and enforcement that Member State competent authorities must have. Administrative fines can be imposed on essential and important entities for breaches of obligations relating to cybersecurity risk management measures and incident notification. For ‘essential entities’ the maximum fine is the higher of at least €10,000,000 or at least 2% of the total worldwide annual turnover in the previous financial year. For ‘important entities,’ these figures are €7,000,000 and 1.4%.

Irish legislation must be enacted before 18 October 2024 to transpose NIS2. Consistent with its treatment of NIS-D, the transposing legislation will provide that breaches of certain provisions of same will be a criminal offence. We expect that a person found guilty of any of these offences will be liable on conviction to a fine and/or imprisonment.

It is vital that CEOs, CFOs, CIOs, CISOs and board members understand not only the financial, personal, and reputational consequences of non-compliance - which underscores the urgency of pursing NIS2 compliance now - but also the role that NIS2 will play in safeguarding their organisation’s cybersecurity and operational resilience.

Navigating NIS2

Legal analysis: the first step on your NIS2 journey

Organisations will differ in their level of compliance or maturity across the key control areas that are required under NIS2. However, one thing is certain, all in-scope organisations should now be considering the implications of NIS2 to ensure they have sufficient time to assess, design, and implement their compliance plans before NIS2 comes into effect.

Organisations operating in the sectors defined in NIS2 will need to assess whether they fall within its scope, the availability of any exemptions, their categorisation as ‘essential’ or ‘important’, their NIS2 obligations, and the impact of and interplay with other EU cybersecurity and operational resilience laws. 

NIS2 requires organisations to address cybersecurity risks in their own ICT supply chains. In practice, this will require a risk-based assessment of ICT supplier relationships, enhancing contracts and securing inspection and other rights to ensure supply chain security. Early supplier engagement will be essential. 

To the extent certain in-scope organisations are established and/or providing their services in more than one EU Member State, they may be subject to implementing laws in more than one jurisdiction or the EU Member State where their cybersecurity risk management decisions are predominately made. The NIS2 jurisdiction rules require careful consideration and may cause certain entities to rethink the geographic positioning of cybersecurity decision making.