New cybersecurity rules in the EU – NIS 2 Directive is introduced

What is the NIS 2 Directive?

At the end of last year, the Council of the European Union adopted the NIS 2 Directive on measures for a high common level of cybersecurity across the EU. The Directive sets out various minimum standards to achieve a high level of cybersecurity and applies to organisations in specific sectors.

The new legislation will replace the NIS Directive[1], which has been in force since 2018, but it has stricter rules and will apply to a wider range of entities.

When will it be applicable?

The NIS 2 Directive entered into force on 16 January 2023. Since it is a Directive, in order for it to take effect at national level, Member States must adopt a law to transpose it. The Directive stipulates that Member States must adopt and publish the necessary measures to comply with the Directive by 17 October 2024.

Therefore, detailed rules at national level will have to wait, but organisations are strongly advised to assess whether they may be covered by NIS 2 at this stage and to consider the organisational, material and technical requirements necessary to prepare for compliance.

Who does NIS 2 apply to?

To be subject to the NIS 2 Directive, organisations have to meet three conditions together:

• Belonging to a specific sector
• Reaching the threshold of required size: at least medium-sized enterprise
• Providing services, conducting activities in the European Union

The first two conditions are described in detail below.

Specific sector

Annexes I and II of the NIS 2 Directive list all public and private entities that fall within its scope. Compared to the previous Directive, NIS 2 has significantly extended the scope of these sectors, so it covers the following:

The Directive also defines the types of entities within each sector, having several sub-sectors for Energy, Transport and Manufacturing.

NIS 2 breaks down all these sectors into essential and important entities. Article 3 (1) of the Directive defines which entities are considered essential entities, while important entities are those that are not subject to these requirements. This distinction affects, among others, the measures that can be taken against an organisation in case there is a breach of the Directive.

Required size

Under the previous directive, Member States were obliged to identify entities providing essential services, but NIS 2 sets a threshold of at least medium-sized enterprises as per the EU’s SME (small-medium sized enterprises) definition. There are two cumulative conditions for reaching this threshold:

• The organisation employs more than 50 people.
• The annual turnover and/or annual balance sheet total of the organisation exceeds EUR 10 million.

It is important to note that, irrespective of their size, entities belonging to a specific sector that meet the specific requirements of Article 2(2) to (4) are also subject to NIS 2.

What are the main changes in NIS 2?

Cybersecurity risk-management measures

NIS 2 requires both essential and important entities to take at least the following measures to mitigate cybersecurity risks in the provision of their services:

• policies on risk analysis and information system security
• incident handling
• business continuity, such as backup management and disaster recovery, and crisis management
• supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
• security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
• policies and procedures to assess the effectiveness of cybersecurity risk-management measures
• basic cyber hygiene practices and cybersecurity training
• policies and procedures regarding the use of cryptography and, where appropriate, encryption
• human resources security, access control policies and asset management
• the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate

Obligation to report incidents

Regarding the requirement for incident handling, it is important to take into account that NIS 2 requires organisations to report significant incidents. Both the definition of incidents and the criteria for a significant incident are set out in the Directive[2].

The NIS 2 defines a so-called staged reporting obligation, based on which, the incident notification must be preceded by an early warning. The time limit for notification is already very tight - 72 hours from the time the incident is known - but only 24 hours are available for an early warning. A final report must also be submitted within 1 month of the incident notification. The required content of all this is also included in the Directive.

In light of the detailed requirements, it is recommended that organisations subject to NIS 2 start to develop internal processes for incident detection and reporting.

Supply chain security

NIS 2 requires organisations to mitigate security risks of their suppliers and service providers in the supply chain. This means that they must assess and consider the cybersecurity risk management measures for products and services, as well as the overall quality and resilience of the cybersecurity practices of their suppliers and service providers. The form and conditions for these are not precisely defined in the absence of national legislation, but the preamble to the Directive suggests that organisations should incorporate cybersecurity risk management measures into contractual arrangements with their direct suppliers and service providers as good practice.

As such, NIS 2 may ultimately affect organisations outside its direct scope. Therefore, they should be prepared, that their customers, who are subject to NIS 2 will pay increased attention to this issue and they may be questioned about their cybersecurity practices.

What are the consequences of non-compliance?

NIS 2 imposes direct obligations on management bodies to implement and monitor their organisation's compliance with the law and allows them to be held accountable for non-compliance.

Although it will also be up to the national legislator to work out the detailed rules, it is already clear that different rules will apply to essential and important entities. For the former, NIS 2 sets out stricter sanctions.

The competent authority may, in the case of essential entities:

• temporarily suspend (or request the competent body to temporarily suspend) the certification or authorisation concerning part, or all of the relevant services provided, or activities carried out by the essential entity,
• may request the competent body to temporarily prohibit the natural person responsible for the exercise of managerial functions from exercising managerial functions at the level of the chief executive or legal representative.

Under NIS 2, the competent authority may also impose administrative fines for breaches of the rules on cybersecurity risk management measures[3] and reporting obligations[4].

The Directive gives Member States the discretion to set the level of fines, so the maximum fines that can be imposed may be up to:

• 10 million EUR or 2% of annual global turnover for essential entities.
• 7 million EUR or 1,4% of annual global turnover for important entities.

_{[1] The NIS Directive was the first cybersecurity legislation at European level, which aimed to ensure high common level of security for network and information systems across the EU.}

_{[2] NIS 2 Directive Article 6 (6) és Article 23 (3)}

_{[3] NIS 2 Directive Article 21}

_{[4] NIS 2 Directive Article 23}