NIS2 provides a framework for cybersecurity risk management measures and reporting obligations in specific sectors such as energy, transport, health and digital infrastructure. Furthermore, NIS2 aims to harmonize cybersecurity requirements and implementation of cybersecurity measures in each member state. To this end, this Directive establishes minimum rules for the regulatory environment and mechanisms for effective cooperation between the competent authorities of Member States. NIS2 also expands the list of sectors and activities covered by cybersecurity obligations and provides remedies and sanctions to protect implementation. Compared to previous NIS Directives, the new rules of NIS2 formally establish the European Cyber Crisis Liaison Network (EU-CyCLONe) to provide coordinated management of large-scale cyber security incidents and crises.
Essentials of the NIS2 Directive
- NIS2 Directive Extended Personal Scope
The provisions of NIS2 apply to all entities providing services or carrying out activities within the EU that meet the descriptions of ‘essential’ or ‘essential’ entities in the defined sector list. (Previous directives distinguished between “essential service providers” and “digital service providers”). These entities are divided into critical sectors (energy, health, financial market infrastructure, etc.) and other critical sectors (postal, courier services, digital providers, chemical manufacturing and distribution, etc.). Important exemptions include size limitations. This means that small and micro businesses are excluded in some cases. Possibility for Member States to exempt certain entities involved in national security, public safety, defense, or law enforcement.
In the event of a serious incident, your organization should notify the Computer Security Incident Response Team (CSIRT) or, if applicable, the competent authority. An affected entity must first send early notification to the CSIRT or authorities without delay and within 24 hours after he becomes aware of the event. You must submit an Incident Notification without delay and within 72 hours of detecting a significant event. This should include an initial assessment, including severity and impact, and if possible, specify metrics. Additionally, the NIS2 Directive requires a final report to be submitted within one month of the submission of the incident notification.
- Need for additional risk management and cybersecurity measures
Both critical and critical entities should implement additional cybersecurity risk management measures commensurate with their cybersecurity risk. This includes risk analysis and information security policy, business continuity (including backup management and disaster recovery) and crisis management, and supply chain security (including security related security). Ensure basic “cyber hygiene” practices and cybersecurity training.
- Additional Responsibilities for Administrators
The new Directive increases cybersecurity responsibility for the management of critical and essential entities by requiring the security measures referred to in the paragraph above to be approved and to oversee their implementation. Management can be held liable if the organization does not comply with the cybersecurity requirements laid down in his NIS2 Directive (or the national legislation that implements it).
- stricter supervisory rules
Under the NIS2 Directive, various rules apply to essential entities in the event of a cybersecurity breach. Under the regulations governing mandatory entities, the entity will be fined €10 million, or his 2% of his total worldwide annual turnover if greater. Significant entities are subject to an administrative fine of up to €7 million or, if above, 1.4% of the total global annual turnover of the business in the previous financial year. Critical entities may also be subject to rigorous audits, including onsite inspections and offsite supervision. Regular and targeted security audits conducted by authorities.When For this Audits when justified by significant events or fundamental violations of the provisions of the NIS2 Directive. However, for critical entities, only investigations are conducted. after If a regulatory agency receives evidence, indications or information that it suspects that a material entity is not complying with the NIS2 Directive.
- Registration obligation
Certain organizations (DNS service providers, TLD name registries, entities that provide domain name registration services, cloud computing service providers, data center service providers, content delivery network providers, online marketplaces, online search engines, and social media platforms ) are required. To provide certain information about itself to the competent Member State authorities in order for the European Union Cybersecurity Authority (ENISA) to establish a register of these entities.
- Strengthening European cooperation
NIS2 also coordinates and manages large-scale cybersecurity incidents at EU level (i.e. those that seriously impact at least two EU Member States or exceed the capacity of one Member State to respond) and regularly Establish an EU-CyCLONe to share information publicly. Information between Member States and her EU Institutions.
next step
The NIS2 Directive was issued on December 27, 2022 and is expected to enter into force on January 16, 2023. EU Member States have until 17 October 2024 to adopt and publish the provisions necessary to comply with the Directive.
Article co-authored by Daniella Huszár