The EU Parliament has on 13 MAY 2022 entered into a political agreement to approve the EU Directive 2020/0359 (called “NIS2”), containing new rules for cyber- and information security, which will affect a large number of European companies, authorities, and their supply chain.
The final legal text is expected to be adopted by the end of 2022, after which the member states have 21 months to implement the directive into national legislation. It is expected that companies and authorities around Europe must comply with the new NIS2 rules from 2024.
The directive is expected to apply to public and private “essential companies” operating in the fields of energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space, as well as “important companies” in the postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, and digital providers.
Except for critical infrastructure- and service providers, the directive does not apply to companies considered as micro and small enterprises, i.e. companies with less than 50 employees and an annual turnover and/or balance total that does not exceed EUR 10 million.
Excluded are also areas in the public administration that carry out activities within public security, law enforcement, defense or national security.
For companies within the affected sectors, increased requirements are set to guarantee the security of the network- and information systems used to support the company’s activities.
The management of the companies is given a direct responsibility for risk management, including taking the technical and organizational measures to prevent and limit risks and consequences in the event of security incidents. The management is also responsible for supervising the implementation of improvements, regardless of whether the operation and maintenance of the systems is handled internally or via external partners.
Management in companies is also required to stay up to date, and to acquire sufficient knowledge and skills, to understand and assess cybersecurity risks and management practices, and how they can impact the operation of the organization.
The company is held responsible for ensuring continued operations (business continuity), and through increased robustness ensure that the company’s operations can continue in the event of a cyber incident. This includes establishing emergency procedures, systems recovery plans, crisis organization, and crisis management.
It is planned that companies will have an obligation to notify public authorities, and recipients of the company’s services, of vulnerabilities and security incidents within 24 hours after the incident has been identified. No later than one month thereafter, a final report for the incident shall be published accordingly. The notification obligation covers all incidents that have a significant or negative impact on the delivery of the company’s services.
If a company detects a vulnerability or incident, it must, without undue delay, take all necessary corrective measures to bring the service in question into compliance.
The planned cybersecurity risk management measures include (as a minimum):
- Risk analysis and information system security policies.
- Contingency plan, including prevention, detection and response to incidents.
- Planning and implementation of business continuity and crisis management in systems and processes.
- Supply chain security, including data storage and processing services or managed security service providers.
- Management of security during purchasing, developing and maintaining network and information systems.
- Processes for notification of vulnerabilities and incidents to authorities and affected parties.
- Assess, including testing and audit, the effectiveness of cyber security risk management measures.
- Increased, if possible mandatory, use of cryptography and end-to-end encryption to protect the security of electronic communications networks and services.
Supervision by authorities is extended both in scope and thoroughness, including regular audits, random checks, on-site inspections, off-site supervision, targeted security audits, and security scans.
Violations of the obligations are subject to administrative fines of up to EUR 10 million or up to 2% of the total worldwide annual turnover of the organization to which the company belongs in the preceding financial year, whichever is higher.