On 27 December 2022, the Directive on Measures for a High Common Level of Cybersecurity across the Union (the ‘NIS 2 Directive’) was published in the Official Journal of the European Union.
The NIS2 Directive significantly broadens the scope of the original NIS Directive, which has been adopted and in force since 2016, as it is directed to a wider range of industries to extend and strengthen cybersecurity requirements across the EU. This includes addressing supply chain security, streamlining reporting obligations and introducing strict enforcement requirements. In other words, NIS 2 requires a large number of organisations to implement a comprehensive cybersecurity risk management framework, with the aim to increase the overall level of cyber resilience within the EU.
Entering into force on 16 January 2023, the directive will have to be transposed into national legislation by October 2024. Shortly thereafter, competent authorities of the member states will ensure compliance oversight and enforce the national implementation law, where necessary through severe administrative penalties and remedial measures.
The first new element introduced by NIS 2 concerns the scope of the directive itself, which is significantly broader than its predecessor. Whereas the original NIS Directive merely applied to ‘Operators of Essential Services’ (OES) and ‘Digital Service Providers' (DSP), NIS 2 applies to ‘essential’ and ‘important’ entities within the EU.
These entities are considered critical for the EU economy and society and thus include providers of public electronic communications services, digital services, waste water and waste management, manufacturing of critical products, postal and courier services, and public administration, both at central and regional level.
Where sector-specific legislation - such as the Digital Operational Resilience Act (DORA) - requires essential or important entities under NIS 2 to adopt cybersecurity risk-management measures or to notify significant incidents, NIS 2 shall not apply to these entities if the sector-specific requirements are at least equivalent in effect to the obligations laid down in the NIS 2 Directive.
If sector-specific legislation does not cover all entities in a specific sector falling within the scope of the NIS 2 Directive, the relevant provisions of NIS 2 shall continue to apply to the entities not covered by the sector-specific legislation
Now that NIS 2 is officially adopted, a significant number of organisations will need to consider, implement and comply with various binding obligations that will materialise after the transposition of the directive into national legislation.
The following timeline outlines the key phases in the development and enforcement of NIS 2.
Although national implementation laws are yet to be developed and adopted, the NIS 2 Directive clearly emphasises three major pillars in which organisations will have to step up their efforts in order to ensure compliance.
Under NIS 2, organisations are required to take a proactive rather than reactive approach to risk management by introducing strong information security policies to ensure systematic and thorough risk analysis.
In general, these policies should be designed on the basis of an all-hazard approach, proportional to the risk, size, cost, impact and severity of incidents that individual organisations face.
Taking into consideration this principle of proportionality, organisations are expected to implement industry-accepted and state-of-the-art cybersecurity measures in - among other - the following domains.
Under NIS 2, essential and important entities need to have a robust Incident Management Framework (IMF) in place, which is tested regularly and communicated to all relevant parties. Moreover, the new directive requires organisations to implement clear procedures to prevent attacks, investigate root causes and adopt mitigating measures.
Under NIS 2, essential and important entities need to ensure the continuity of their operations in the event of a major (cybersecurity) incident. As such, organisations must implement a comprehensive resilience framework - encompassing business continuity, disaster recovery and crisis management - in order to minimise disruption.
As supply chain security becomes ever more relevant, NIS 2 requires essential and important entities to engage in Third Party Risk Management (TPRM). Ensuring TPRM across their digital value chains will be a challenging task for organisations and a comprehensive supply chain resilience framework could be warranted.
Under NIS 2, essential and important entities must report - without undue delay - any incident that has a significant impact on the provision of their services to their National Computer Security Incident Response Teams (CSIRT) or appropriate national authority.
In order to comply with these reporting obligations, organisations must submit:
Early warning: Issued without undue delay and no later than 24 hours of becoming aware of the incident, stating whether the event is thought to have been the result of unlawful or malicious activity or could have cross-border ramifications;
Incident notification: Issued without undue delay and no later than 72 hours of becoming aware of the incident, thereby updating the information provided in the early warning and giving a preliminary evaluation of the incident's severity and effects;
Intermediate report: Issued upon request of the CSIRT or the appropriate national authority, highlighting relevant status updates in incident and crisis management.
Final report: Must be submitted no later than one month after the incident notification was submitted. A thorough description of the incident - including its root cause, any adopted mitigation strategies, and any cross-border effects - must be included in the final report.
When compared to its predecessor, NIS 2 provides a tough enforcement framework in order to ensure a higher level of compliance.
First and foremost, competent national authorities will be able to rely on a robust enforcement and investigation framework, the limits of which depend on the classification of your organisation.
Essential entities: Subject to a comprehensive, ex ante, supervisory regime, in which the supervisory powers of the national authorities include the ability to conduct random raids, perform (ad hoc) security audits as well as the ability to request certain information and evidence of compliance.
Important entities: Subject to lighter, ex post, supervisory regime that is applicable in the event of evidence and/or indications of non-compliance.
Under NIS 2, the management bodies of essential and important entities must approve cybersecurity risk-management measures, oversee their implementation and can be held liable for infringements by their organisation.
In this context, all members of management bodies will also be required to follow training on a regular basis in order to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the services provided by their organisation.
Under NIS2, member states must provide the appropriate national authority with the discretionary power to impose considerable fines on organisations that do not comply with the national transposition laws.
Essential entities: At least up to €10 million or 2% of their worldwide annual turnover
Important entities: At least up to €7 million or 1.4% of their worldwide annual turnover
PwC can assist your organisation along the entire resilience journey towards compliance with NIS 2. Through our Regulatory Readiness Assessment Framework (RRAF), we can advise you in defining your current readiness and assist you in the implementation of measures to meet the regulatory requirements under NIS 2.
Now that NIS 2 is formally adopted, all entities within scope need to plan for the task of preparing for and anticipating the national transposition measures to come. Getting a head start will allow the timely identification of any areas that require substantial investment and prioritisation.
While NIS 2 aims to harmonise regulatory requirements on cybersecurity risk management and reporting methods, many of its obligations were already introduced in its predecessor and can be found in existing national regulations and international standards regarding cybersecurity and data protection.
That being said, the devil is - as always - in the details and it will be essential for all entities in scope of the NIS 2 Directive to undertake a gap assessment and establish a strategy to achieve compliance within the 21-month preparation period.
We can help you build a secure digital strategy through a combination of both offensive and defensive cyber security services from within our five main pillars: