EU NIS2 Directive: 101
By IAPP Former Westin Fellow, Anokhy Desai, CIPP/US, CIPT
FOCUS AREAS NIS2
The NIS2 directive applies to medium and large entities — those with more than 50 employees and an annual turnover greater
than 10 million euros — and to an entity of any size that:
˚ Is a public administration entity.
˚ Is the sole provider of a service in a member state.
˚ Could have an impact on public safety, security or health if its services are disrupted.
. N ORGANIZATIONS ˚ Could induce systemic risks or have cross-border impacts if its services are disrupted.
WITHIN SCOPE
The NIS2 Directive on measures for a high ˚ Is a critical entity because of its importance at the regional or national level for its sector or type of service.
comon level of cybersecurity acros the EU
˚ Provides services by public electronic communications networks, publicly available electronic communications services, trust
further improves the resilience and incident
service providers, or top-level domain name registries and domain name system service providers.
response capacities of the public and private
sectors, and the EU as a whole, through Entities of any size that meet any of the first five criteria, and medium-size entities that meet the sixth criteria, are considered
risk mangement measures and reporting essential entities.
obligations. It replaces the NIS directive
adopted in 2016.
Covered organizations that meet the above scope are categorized into essential and important entities. The difference between
the categories lies in the covered organization's industry. Additionally, any covered organization that does not fall in the essential
e
K y changes the NIS2 brings entity category is an important entity.
˚ Essential entities are covered organizations in the energy, transport, banking, financial market infrastructure, health, drinking water,
covered entities: essential entities and wastewater, digital infrastructure, public administration and space industries.
important entities. Important entities are covered organizations in postal and courier services, waste management, chemical production and distribution,
˚ Expands the list of sectors and activities and food production and distribution industries, as well as:
subject to cybersecurity obligations. SECTORS ˚ Manufacturers of:
˚ Extends scope to cover al medium and WITHIN SCOPE • Medical devices and in vitro diagnostic medical devices.
large entities. • Computer, electronic and optical products.
˚ • Electrical equipment.
and introduces voluntary coordinated
• Machinery and equipment.
vulnerability disclosures for entities
• Transport equipment, including motor vehicles, trailers and semitrailers.
˚ Digital providers of online marketplaces, search engines and social networking platforms.
e
K y challenges posed by the NIS2 Further sector details can be found in Annex I and II.
˚ Entities and sectors now under the scope
of the directive trigger new compliance Cybersecurity requirements from Article 21 of the NIS2 include:
˚ Policies on risk analysis and information system security.
˚ Interplay between the NIS2 and the EU
˚ Incident handling.
General Data Protection Regulation,
including: ˚ Business continuity, disaster recovery and crisis management.
• Coperation rules between the NIS2 ˚ Supply-chain security, including security-related aspects concerning the relationships between each entity and its suppliers or
competent authorities and data service providers.
protection authorities. ˚ Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
• Legitimate interest as a legal basis ˚ Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
for personal data processing to ˚ Cyber hygiene practices and cybersecurity training.
ensure network and information KEY
˚ Policies on the use of cryptography and encryption.
REQUIREMENTS
˚ Cybersecurity risk assessment human resources security, access control policies and asset management.
•
˚ The use of multifactor authentication or other authentication solutions.
and processes.
˚ Essential and important entities face According to Article 23 reporting obligations, entities must notify the Computer Security Incident Response Team or applicable authority of:
˚ Any incident that significantly impacts their ability to provide services.
inspections and random checks. ˚ Any cross-border impacts of the incident.
According to Article 23 reporting obligations, entities must notify the recipients of their services of:
Important dates
˚ Significant incidents that are likely to adversely affect their ability to provide services.
˚ The NIS2 directive entered into force
˚ Significant cyber threats and any measures or remedies taken in response.
˚ The European Comision provided
guidelines clarifying Articles 4(1) and 4(2) Entities should report to their CSIRT or competent authority:
˚ An early warning, within 24 hours of becoming aware of the significant incident. Entities should indicate whether they suspect
the incident was caused by unlawful or malicious acts, or if it could have cross-border impacts.
˚ Member states incorporated the TIMELINE OF ˚ An incident notification, within 72 hours of becoming aware of the significant incident. Entities should provide an update with
directive's provisions into national REPORTING AN an initial assessment of the incident, including its severity, impact and, when available, indicators of compromise.
INCIDENT ˚ An intermediate report on relevant status updates upon the request of the CSIRT.
˚ Member states must establish a list ˚ A progress report for ongoing incidents or a final report no later than one month after the submission of the incident notification.
of essential and important entities The report should include a detailed description of the incident, including its severity and impact, the type of threat or root cause
and entities providing domain name of the incident, applied and ongoing mitigation measures, and any cross-border impacts of the incident.
registration services by 17 April
updated regularly, at least every Member state authorities can order:
˚ Administrative fines of up to 10 million euros or 2% of the company's total annual worldwide turnover, whichever is higher.
˚ Offending entities to make aspects of noncompliance with the directive public.
TT N ˚ A public statement identifying the violation's nature, and the natural and legal people responsible.
˚ Implementing guidelines ˚ Sanctions that may include suspending certifications and authorizations for services provided by the organization and temporarily
banning any individual responsible for the breach from management positions within the entity.
˚
European Union Essential entities can face:
˚ EU Data Initiatives in Context ˚ Onsite inspections, offsite supervision and random checks by trained professionals.
˚ Asesing risk: Determining the ˚ Regular and targeted security audits carried out by independent bodies or competent authorities.
˚ Ad hoc audits, including, when justified, on the grounds of a significant incident or infringement of the NIS2 Directive.
asesments ENFORCEMENT ˚ Security scans based on objective, nondiscriminatory, fair and transparent risk-assessment criteria.
˚ European Parliament aproves NIS2 AND PENALTIES
˚ Requests for information necessary to assess the cybersecurity risk management measures adopted by the entity.
Directive
˚ Requests to access data, documents and information necessary to carry out their supervisory tasks.
˚ NIS2 Directive clears Council of the ˚ Requests for evidence of implementation of cybersecurity policies, like the results of a security audit.
European Union
Important entities can face:
˚ Onsite inspections and offsite ex post supervision by trained professionals.
˚ Targeted security audits carried out by independent bodies or competent authorities.
˚ Security scans based on objective, nondiscriminatory, fair and transparent risk-assessment criteria.
˚ Requests for information necessary to assess the cybersecurity risk-management measures adopted by the entity ex post.
˚ Requests to access data, documents and information necessary to carry out their supervisory tasks.
˚ Requests for evidence of implementation of cybersecurity policies, like the results of a security audit.
IAPP disclaims all warranties, expressed or implied, with respect to the contents of this material, including any warranties of accuracy, merchantability or fitness for a particular purpose. Nothing herein should be construed as legal advice. Updated October 2024.
© 2024 IAPP. All rights reserved. iapp.org
