In December 2022, a new directive was adopted to ensure a high common level of cybersecurity in the EU. Directive (EU) 2022/2555, also known as the NIS2 Directive, repeals and replaces the former Directive (EU) 2016/1148 on the security of network and information systems – also known as the NIS1 Directive. In this blogpost, we will highlight the core changes to this framework, as well as frame the new Directive in the EU’s broader cybersecurity strategy.
The NIS1 Directive was adopted in 2016 and had to be transposed by the Member States by 9 May 2018. That process was only completed in 2019, due to some Member States not meeting the deadline.
In the field of cybersecurity, as lot has happened since then. Today, it is estimated that 22% of EU enterprises have suffered ICT-related security incidents in 2021. Ransomware attacks were up 41% in 2022. The global average cost of a data breach was in 2022 estimated at USD 4,35 million – even going up to USD 10,1 million in the healthcare sector. The global cost of cybercrime was estimated at EUR 5,5 trillion by the end of 2020.
At the same time, the increasing interconnectedness of all layers and sectors of society and the growth of teleworking following the COVID-19 pandemic result in an ever more important reliance on network and information systems. This underlines the need for strong policies in the field of cybersecurity.
However, while reviewing the NIS1 Directive, it was discovered that this framework failed to meet its projected goals in several ways.
Weighing a number of different policy options, the European Commission decided on a complete repeal and replacement. The NIS2 Directive was proposed late 2020 and adopted in December 2022. It will have to be transposed by the Member States by 17 October 2024 and becomes applicable the day after.
NIS2 is not a completely novel framework. it largely maintains the approach set by the NIS1 Directive, but with a tightened scope and a few new obligations. Also in terms of overall scope, the focus has shifted from ‘network and information security’ to ‘cybersecurity’. This is important, as cybersecurity – as defined under the EU Cybersecurity Act – also covers “the users of such systems, and other persons affected by cyber threats”.
In terms of covered entities, NIS2 excludes small and micro-enterprises in most cases. The focus has been shifted to essential and important entities, as described in Annexes 1 and 2 to the Directive. This list has been substantially expanded from NIS1.
New entries marked as essential include, amongst others,
In terms of other critical sectors, NIS2 marks
Member States must still adopt a national strategy. NIS2 more clearly sets out the minimum requirements for such strategy, thus leaving less discretion than NIS1.
New is that Member States must also designate authorities responsible for the national management of large-scale cybersecurity incidents and crises (cyber crisis management authorities). Also their tasks are clearly set out. Furthermore, NIS2 more clearly elaborates the duty for Member State authorities to coordinate and cooperate with each other.
At the EU level, NIS2 maintains the Cooperation Group, with support of the European Commission and ENISA – having now been designated as the EU agency for cybersecurity. Also the national cyber crisis management authorities receive an EU-platform: EU CyCLONe. New is that Member States may submit their national policies for peer review.
In terms of risk management, NIS2 puts greater responsibility on the management bodies of entities. They must undergo training and can be held liable for infringements against this framework.
This ensures that upper management becomes a direct stakeholder in the cybersecurity compliance of their organization, and that they are more enticed to make available adequate budgets therefor.
NIS2 maintains the risk-based approach set out by NIS1, but more clearly elaborates the minimum elements of such approach. As before, significant incidents must be notified to CSIRTs. NIS2 sets out clearer deadlines for when such notification should occur, and may also require the recipients of the services involved to be notified if they could be adversely affected.
Regarding supervision and enforcement, NIS2 more clearly formulates the competences of authorities in this field, as well as the actions they can take. Regarding fines, NIS2 imposes certain thresholds, ensuring that fines are more harmonized across the EU.
Since NIS1, several other texts have been adopted in the field of cybersecurity.
One text is the EU Cybersecurity Act, which designates ENISA as the EU agency for cybersecurity and establishes an EU-wide certification scheme for ICT-products, services and processes.
Closely linked to NIS2 is the new Directive on the resilience of critical entities (CER Directive), which focuses more on the physical security of essential entities – whereas NIS2 focuses on their cybersecurity.
Also specific sectors can adopt their own cybersecurity framework, tailored to the needs and challenges of that sector. In this sense, NIS2 serves as the lex generalis in the field of cybersecurity, where sector-specific texts can serve as lex specialis.
One example of such sector-specific text is the Regulation on digital operation resilience for the financial sector (DORA). This text imposes specific requirements on 21 types of regulated financial entities, as well as on the third-party ICT service providers on which they rely.
Do you have any questions regarding the cybersecurity compliance of your organization? Please contact Timelex.