NIS2 Directive Is on the Edge of Enforcement: What Now for EU/U.S. Companies?

On October 18, 2024, the requirements of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) entered into force. The NIS2 Directive outlines the cybersecurity responsibilities of both “essential” and “important” entities, and sets out the duties of “management bodies,” emphasizing their potential liability for failure to comply with the new mandates, along with significant penalties for entities that fail to meet their obligations.

What is NIS2?

The objective of the NIS2 Directive is to set out measures to achieve a high common level of cybersecurity across the EU. It expands the scope of cybersecurity requirements to include both “essential” and “important” entities in various sectors, including energy, transport, banking, health, digital infrastructure, and others. The NIS2 Directive introduces size-based thresholds for applicability and imposes substantial fines for non-compliance.

Which entities fall under the scope of NIS2?

To ascertain whether an organization needs to adhere to the NIS2 Directive, it is crucial to first identify if it is classified as either an “essential” or “important” entity, based on whether the company:

• provides services or carries out activities in the EU, without regard to an establishment in the EU;
• meets or exceeds the thresholds to qualify as an SME (small-medium enterprise); specifically, business employs more than 50 employees and has an annual turnover and/or annual balance sheet total of more than 10 million euros; and
• operates in the sectors listed in Annexes I and II of the NIS2 Directive (requires assessment by each entity).

Certain specific entities automatically fall under the purview of the NIS2 Directive, regardless of their number of employees or annual revenue, because of the potential for significant adverse impacts on European citizens resulting from disruptions to these businesses. These entities include:

1. 1. Providers of public electronic communications networks or services that are available to the public;
   2. Providers of trust services;
   3. Registries for top-level domain names and providers of domain name system services; and
   4. Public

As all EU Member States were required to transpose the NIS2 Directive into their national legislation by October 17, 2024, it is crucial for businesses to ensure that the Member State has not broadened the scope of the NIS2 Directive to apply to additional companies.

In addition, entities that are not established in the EU but provide their services within the EU must designate a representative (as per the GDPR, Digital Services Act, etc.). The Member State in which the representative is established will be deemed to be the Member State in which the entity is subject to jurisdiction. In the absence of a representative, any Member State in which the entity provides its services may take direct action against the entity in the event of a breach of the NIS2 Directive.

Which obligations?

1. Risk management measures

   Entities falling within the scope of the NIS2 Directive will be required to implement at least the following key measures:

   • Risk analysis and information system security policies;
   • Incident handling protocols;
   • Business continuity plans, such as backup management and business resumption;
   • Supply chain and network security measures, including the safety aspects between each entity and its direct suppliers or service providers. Companies must consider the specific vulnerabilities of each direct supplier and service provider, and evaluate the overall quality of their products and cybersecurity practices. This assessment shall include an examination of their secure development processes;
   • Cybersecurity testing;
   • Auditing procedures;
   • Regular cybersecurity training, not only for management bodies but also for the employees;
   • HR Security, access control policies and asset management; and
   • The use of multi-factor authentication and encryption, and secure emergency communications systems within the entity (where appropriate).

   Management bodies are tasked with approving the cybersecurity risk management measures adopted by their entities and overseeing their implementation, and are responsible for failures to comply with the above measures. In addition, management bodies are required to undergo cybersecurity training— or face significant liability, discussed below.

   While the NIS2 Directive does not set forth specific standards for cybersecurity in the context of implementing risk management measures, it does encourage Member States to adopt European and international standards and technical specifications to ensure a harmonized implementation. For instance, Belgium, and very likely Luxembourg and Germany, have referenced ISO 27001 certification in their laws enacting NIS2, offering entities with this certification a presumption of compliance with the NIS2 Directive.

2. Reporting obligations

   Essential and important entities must promptly inform the national competent authority of any significant incident (i.e. a serious disruption to the service or financial loss, or significant material or non-material damage). Additionally, they are required

   to notify the users of their services about significant incidents that could impact service delivery. For example, in the event of a significant cyber incident, a chemical manufacturer is required to notify both the relevant authority and its suppliers and customers, offering them any possible measures or remedies they can take in response to the threat.

   The initial reporting of the incident must occur within 24 hours of awareness, followed by an official incident notification within 72 hours. Interim and final reports should be submitted to the competent authority within one month of the formal notification.

Implementation

Essential and important entities, as well as entities providing domain name registration services, will have until January 17, 2025, to register with the competent authority. Essential entities are required to disclose their cybersecurity measures (ex ante) to the competent authorities, while important entities are only required to register, but the competent authorities may, at any time, require the important entity to provide evidence of compliance.

It is important to note that Member States may provide for a higher level of cybersecurity when implementing the NIS2 Directive into national law, so companies need to be careful and review the laws applicable in the countries where they provide services.

Enforcement

Each Member State will need to appoint a competent national authority whose role encompasses overseeing the directive’s enforcement, ensuring that entities comply with their cybersecurity obligations, and facilitating a coordinated response to cybersecurity incidents. This oversight is crucial for maintaining a high level of cybersecurity across the nation and for protecting the integrity of essential and important services.

Sanctions and liability of management body?

The enforcement measures range from issuing simple warnings to mandating remediation actions or requiring the public disclosure of violations of law. 

Entities that fail to meet their cybersecurity risk management or incident reporting requirements may face administrative fines. For important entities, fines can reach up to 7 million euros or 1.4 percent of their total global annual turnover. Essential entities could be fined up to 10 million euros or 2 percent of their total global annual turnover.

Some Member States, in the process of integrating NIS2, have established provisions that allow for the temporary suspension of individuals in managerial roles, such as managing directors or representatives, from executing their managerial duties within the entity if they fail to comply with directives from the competent authority.

Conclusion

It is essential for entities to assess their relevance under the NIS2 Directive in order to clearly define their cybersecurity responsibilities and to perform a thorough gap analysis of their existing security measures. Although investing in cybersecurity may not be insignificant, it is important to note that the cost of these investments will likely be far less than the financial and reputational damage incurred from a cyber incident.