NIS2: New year, new European security rules

The NIS Directive was the first European text to bring in requirements for the security of digital assets. It entered into force in 2016 and has been met with varying degrees of acceptance by Member States. According to its own Article 23, the Directive must be reviewed and amended regularly to reflect evolving risks and threats. Thus, the review process started in the middle of the first COVID lockdown in 2020. On 28 November 2022, the final text of the NIS2 Directive was adopted.

To strengthen the security posture of EU organisations, NIS2 sets in motion different dynamics:

• An extension of the scope to more sectors and entities. The assessment thus covers a perimeter of 160 000-plus entities within the EU.
• A specific focus on the security of digital supply chains. This is a first in Europe, and this dimension is fundamental for further regulatory work on digital security (Cyber Resilience Act, etc.).
• Rationalising reporting obligations, mainly for security incidents and vulnerabilities.
• Increasing accountability of management bodies within entities affected by NIS2. This dimension includes introducing criminal liability for managers trying to hide a critical security issue.
• Harmonisation and tightening of penalties across all Member States to overcome the creative variations following the transposition of NIS1.

Which entities are in scope?

One significant change introduced by NIS2 is the widening of the scope. Two criteria matter here: the sector of activity of the organisation and its size. The latter criterion was under vivid debate during the review workshops, with many fearing a disproportionate compliance burden for SMBs.

Thus, the conditions of application on the « size » criterion have been clarified; they target organisations providing critical services, and whose poor security posture may negatively impact public security or public health. Thus, these providers are within the scope of NIS2, regardless of their size.

The naming of organisations in the scope of NIS2 has also changed. In the original NIS, there were OSEs (operators of essential services) and DSPs (digital service providers). The OSEs were like French OIVs (opérateurs d’importance vitale).

DSPs covered cloud providers, online marketplaces and search engines; the trend was that those would not suffer under burdensome requirements. With NIS2, this OSE/DSP distinction no longer exists: here come Essential Entities (EE) and Important Entities (IE). That categorisation is made according to the sector of activity of the organisation.

The EEs (Annex I) are public and private operators in, among others, the energy, health, transport, public administration, digital infrastructure, B2B digital services and space sectors. This includes cloud service providers, CDNs, data centres, and managed (security) service providers. Many CISOs may soon discover the classification of their managed SOC as a critical entity under NIS2…

The IEs (Annex II) are public and private operators in the postal, food (e.g., canteens), research, waste management sectors, online marketplaces, social networks, search engines and smart health devices.

One can argue at length about the relevance of this or that definition or inclusion. Yet, at present, more than 160,000 public and private organisations of all sizes across Europe are under a set of harmonised minimum requirements.

This means that an IE does not enjoy reduced requirements. The organisation and its managers will be subject to the same sanctions as EEs. The exception approach is reversed compared to the original NIS: EEs will be subject to enhanced requirements (such as on-site inspections).

Surveil and punish: management liability

When implemented, the NIS2 Directive will increase the (minimal) effort organisations must put into digital security. In doing so, NIS2 adopts a deterrent approach by defining scales of penalties as follows:

• Administrative fines.
• Accountability of decision-makers and senior managers (C-levels) within organisations.

As regards administrative fines, we see similarities between the stratification initiated by the GDPR and what now exists in NIS2. Thus, in case of failure to comply with reporting obligations and to implement risk mitigation measures, fines of up to €10 million or 2% of annual consolidated worldwide turnover may be imposed (whichever is higher). As with GDPR, the percentage is calculated based on « Group » yearly revenue in the case of a fine targeting a subsidiary. Of course, Member States may add their national penalties to these fines.

The real punitive novelty is sanctioning top management. In other words, the European legislator is aware of the suffering and loneliness of the « IT manager » who must work magic on full moon nights to ensure that digital tools are safe. NIS2 empowers managers and enables digital risk ownership by management and the Board. For Excel enthusiasts, warm up your RAC(S)I matrices.

In concrete terms, NIS2 allows Member State authorities to hold managers personally liable if gross negligence is proven after a security incident. The authorities can thus order organisations in violation to make non-compliance with the directive public. Or to make a public statement identifying the natural and legal person(s) responsible for the violation and its nature. The inspiration for these measures also comes from GDPR; the image damage caused by a public sanction of this kind hits harder than paying out a few hundred thousand euros.

And if the organisation is an EE, NIS2 allows the authorities to (temporarily) ban an individual from holding management positions in case of repeated negligence. Yet, this is a worst-case scenario. NIS2 provides guidelines to prevent such failure. For example, to ensure that management is sufficiently aware of digital risk, NIS2 requires that management bodies receive adequate training in cyber security.

The NIS2 advises that all employees receive such training. Also, it requires that risk management and risk assessment activities be carried out to ensure that management is aware of and has considered the cybersecurity risks within its organisation.