NIS2 Directive, or How to Ensure a Higher Level of Cybersecurity in the European Union

Entities Covered by the NIS2 Directive Requirements

Depending on the significance of the individual sectors and the type of services provided, the NIS2 Directive distinguishes two categories of organisations within its scope of application – essential entities and important entities.

Such entities qualify at least as a medium-sized enterprise, meaning they employ at least 50 persons and have an annual turnover and/or annual balance sheet total of at least EUR 10 million. The NIS2 Directive also covers large enterprises, employing at least 250 employees and generating annual turnover exceeding EUR 50 million and/or an annual balance sheet total exceeding EUR 43 million. However, there is an important exception.  The NIS2 Directive applies to certain entities regardless of their size. These include entities providing domain name registration services, providers of public electronic communications networks, or providers of publicly available electronic communications services.

The NIS2 Directive provides that Member States shall establish a list of essential and important entities, as well as entities providing domain name registration services (DNS). For this purpose, these entities shall provide address and contact details, the names of the sector and sub-sector, and a list of the Member States in which they provide services. Any change in this respect will have to be notified within two weeks. Member States may also establish national mechanisms enabling self-registration.

Periodically — every two years — the competent authorities are required to notify the European Commission and the Cooperation Group of the number of essential and important entities in each sector and subsector, and to provide relevant information on those entities (sector, subsector, type of service provided).

Obligations of essential and important entities

The NIS2 Directive sets out a list of obligations for essential and important entities. At the same time, it provides that the measures applied are to depend on the specifics of the organisation concerned. The following are the types of such obligations:

1. implementation of cybersecurity risk management measures, taking into account the risk, the size of the entity, the likelihood of incidents occurring and their severity (Articles 20 and 21) – the risk analysis must be dynamic and therefore should take into account technical and legislative changes as well as new threats,;
2. mandatory training for management and recommended training for other employees (Article 20);
3. reporting serious incidents to the competent authorities (Article 23);
4. where appropriate – notifying service recipients of incidents (Article 23);
5. notifying the competent authorities of participation in information-sharing mechanisms or withdrawal from such mechanisms (Article 29);
6. applying specific, own or acquired, certified ICT products, services and processes – information and telecommunications technologies (Article 24).

Our comment: Implementing the obligations set out in Article 23 of the NIS2 Directive may be challenging due both to the need for detailed knowledge in this area and to the short incident notification deadline. The initial warning should be provided within 24 hours, and for some entities this is also the deadline for the formal incident report (although, as a rule, it is 72 hours).

Risk management measures

One of the fundamental obligations is the implementation of appropriate and proportionate technical, operational and organisational measures. The purpose is to manage the risk to the security of network and information systems and to prevent or mitigate the impact of incidents on service recipients.

The measures discussed are based on a risk-based approach covering all threats. The purpose of such an approach is to protect networks and information systems, as well as the physical environment of those systems, against incidents. The precise rules governing the obligations of entities will be set out in national legislation. The NIS2 Directive indicates only the minimum necessary measures aimed at limiting the risk of a security incident, which must be ensured by each entity within its scope of application.

The EU legislator did not specify the measures for each category of entities. It allowed a degree of flexibility in this regard, while stipulating that the assessment of the proportionality of those measures must take into account the extent to which the entity is exposed to risk, the size of the entity, and the likelihood of incidents occurring, as well as their severity, including their social and economic impact.

An entity that determines that it does not meet the requirements of the NIS2 Directive in this regard will be required to promptly implement appropriate and proportionate remedial measures. As noted above, risk management measures should take all threats into account and aim to protect networks and information systems, including their physical environment, against incidents (Article 21(2)). They should therefore include at least:

1. a policy on risk analysis and systems security;
2. incident handling (detection and response);
3. business continuity and crisis management;
4. supply chain security (including aspects related to the security of relations between the entity and its suppliers or service providers);
5. security in the acquisition, development and maintenance of networks and systems, including the handling and disclosure of vulnerabilities;
6. policies and procedures for assessing the effectiveness of risk management measures;
7. basic cyber hygiene practices and cybersecurity training;
8. policies and procedures on the use of cryptography and, where appropriate, encryption;
9. human resources security, access control policies and asset management;
10. where appropriate, the use of multifactor or continuous authentication, secured voice, text and video communications, and secured internal emergency communications systems within the entity.

Cybersecurity risk management measures are to be approved by the management bodies of the entity. In order to properly implement these obligations, those bodies have been required to undergo regular training, and it is also proposed that training be offered to other employees.

Our comment: Due to the lack of guidelines and a methodology for cybersecurity risk management, it is currently difficult to state unequivocally how the individual related instruments should be structured.

Pursuant to Article 21(5) of the NIS2 Directive, the European Commission will, by 17 October 2024, specify the technical and methodological requirements concerning the measures described above. They will apply to the following entities: DNS service providers, top-level domain (TLD) name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engine providers, social networking platform providers and trust service providers.  The European Commission may also specify requirements relating to other essential and important entities not listed above.

Cybersecurity training

The NIS2 Directive places exceptionally strong emphasis on cybersecurity training. It is worth mentioning, for example, the following recommendations:

1. recital 89, according to which essential and important entities should adopt a broad range of basic cyber hygiene practices, such as raising user awareness, and should also provide training for employees and disseminate knowledge about cyber threats, phishing or social engineering techniques
2. Article 20(2), according to which regular training for members of the management bodies of essential and important entities is to be mandatory. The training is to provide knowledge and skills enabling participants to identify risks and assess cybersecurity risk management practices and their impact on the services provided by the entity. Member States are also to encourage essential and important entities to offer similar training to their employees;
3. Article 21(2), pursuant to which risk management measures include, inter alia, cybersecurity training;
4. recital 51, pursuant to which, in national cybersecurity strategies, Member States should encourage research and development activities aimed at facilitating the use of innovative technologies, in particular those related to automatic or semi-automatic tools in the field of cybersecurity, and, where appropriate, the exchange of data necessary for training users of such technology and for its improvement.

Reporting of breaches (incidents)

Each Member State is obliged to ensure that essential and important entities, without undue delay, report to their relevant computer security incident response teams (CSIRTs) or, where applicable, to their competent authorities, a significant incident having a material impact on the provision of their services. Pursuant to Article 23(4) of the NIS2 Directive, for reporting purposes the entity should submit to the CSIRT or the competent authority:

1. without undue delay and, in any event, within 24 hours of becoming aware of the significant incident – an early warning indicating, where applicable, whether the significant incident is suspected to have been caused by unlawful or malicious acts or may have a cross-border impact;
2. without undue delay and, in any event, within 72 hours of becoming aware of the significant incident – an incident notification, in which it shall, where applicable, update the information referred to above and indicate an initial assessment of the significant incident, including its severity and impact, as well as (where applicable) integrity indicators of the system. By way of derogation, a trust service provider shall report significant incidents without undue delay and, in any event, within 24 hours of becoming aware of such significant incident;
3. at the request of the CSIRT or the competent authority – a interim report on relevant status updates;
4. no later than one month after the incident notification – a final report,

If the incident is not concluded by the deadline for submitting the final report, the entity shall provide a progress report, and the final report shall be submitted within one month after the incident has been handled.

Where appropriate, essential and important entities will also notify the recipients of their services who may potentially be affected by a significant cyber threat of such an incident  and of the remedial measures or other measures they may take in response to that threat.

Obligations of the competent authorities in the event of a personal data breach

The manner in which the competent authorities are to act where a breach of obligations by an essential or important entity may entail a personal data breach is set out in Article 35 of the NIS2 Directive. Pursuant to that provision, if, during supervision or enforcement, the competent authority becomes aware of such a breach, it shall without undue delay inform the supervisory authority established under the GDPR.

If the aforementioned supervisory authority imposes an administrative fine for a breach of the GDPR, the authorities within the meaning of the Directive shall not impose an administrative fine for a breach arising from the same conduct for which an administrative fine has already been imposed under the GDPR. They may, however, apply the enforcement measures laid down in the NIS2 Directive (such as issuing binding instructions or orders requiring the relevant entities to remedy the identified deficiencies).

Summary

Compared with the previous version, the NIS2 Directive expands both the scope of entities covered and the scope of their obligations. The NIS2 Directive distinguishes two basic categories of organisations within its scope of application – essential entities and important entities. One of the key obligations of these entities is to implement appropriate and proportionate technical, operational and organisational measures. These measures are to take into account all threats and provide protection against incidents. Management bodies of entities subject to the requirements of the NIS2 Directive have been required to undergo regular cybersecurity training. All of this is intended to increase Europe’s resilience to cyber threats by establishing common security standards.