NIS 2 – The second Network and Information Security Directive

In December 2022, the Council and the European Parliament adopted the NIS 2 Directive, thoroughly revising and extending the legal requirements for IT security in the European Union. This is the legislative response to the heightened threat situation and the related need for tougher cybersecurity.

The Member States now have to implement the new regulations nationally. In Germany, the legislature will have to significantly adapt the BSIG (Act on the Federal Office for IT Security). This article sets out the key points of the reform.

Goal: (More) standardised IT security across Europe

The EU sees cybersecurity as a core requirement for the smooth operation of the single market (see recital 2). The sometimes highly divergent implementation of the first NIS Directive, which led to companies in the Member States being affected differently, was a major thorn in the side of the legislator. The NIS 2.0 Directive therefore aims to eliminate the major differences between the Member States by specifying a standardised criterion for its application (see recital 5).

The Directive will apply to all public or private-sector entities operating in certain sectors which are at least medium-sized enterprises according to EU Commission’s definition of SMEs (Article 2(1)). An “essential entity” does not necessarily have to be a large entity. This approach is the response to the growing mutual dependencies of central infrastructure, which can trigger a far-reaching downward spiral of effect, even if “only” one or more medium-sized players are at the start of the chain. The thresholds for critical infrastructure under the German national Regulation on the Designation of Critical Infrastructure are likely to be consigned to history soon.

Expanded scope

The EU has greatly expanded the scope of cybersecurity guidelines. The Directive mentions “essential entities” and “important entities”. The counterpart to the “essential entities” in the previous Directive was “operators of essential services”, designated “critical infrastructure” in the German transposition of the legislation (see section 2(10) BSIG).

The “important entities” are now an additional category. These are primarily entities operating in the Other Critical Sectors listed in Annex II (see Article 3(2)). The EU sees the responsibility for cybersecurity as lying mainly with operators in these two categories (see recital 77).

By enacting the German IT Security Act 2.0 in April 2021, the German legislature already significantly expanded the target group of the national cybersecurity guidelines itself. This now governs not only “critical infrastructure” and “digital services”, but also “companies of special public interest.” Following the implementation of the NIS 2 Directive, a fourth category is now likely to be added – or the German legislator will align the companies of special public interest with the important entities.

Operators in the following sectors in particular are considered “essential entities” and thus “critical infrastructure”:

• Energy
• Transport
• Banking and finance
• Healthcare
• Drinking water and waste water
• Digital infrastructure
• Public administration
• Space

“Important sectors” include:

• Post and courier services
• Waste management
• Food production, processing and distribution
• Manufacturing/production of goods
• Chemicals production, manufacturing and trade
• Education and research

 

Specific requirements

A core requirement of the NIS 2 Directive for essential and important entities is that they take “appropriate and proportionate technical, operational and organisational measures” taking into account the “state of the art” (Article 21(1)).

The starting point should be a “systemic analysis” taking into account the “human factor” as well as the “degree of dependence […] on network and information systems” (see recital 78). The required measures should not impose a disproportionate financial and administrative burden on the entities.

However, the legislator makes it clear that proportionality is measured according to the potential “societal and economic impact” that a cybersecurity incident may cause (recital 82). “Essential entities” in particular are therefore unlikely to succeed in invoking the effort and cost of the required measures to support their claims of proportionality.

The Directive also requires an “all-hazards approach” that takes into account physical disruptions such as theft, fire, floods and telecommunication or power cuts. The NIS 2 Directive is complemented by the simultaneously announced Directive on the resilience of critical entities, which focuses on physical security, such as with regard to acts of terrorism or natural disasters.

In addition, the entities concerned are required to report “significant incidents” without delay (Article 23(1)).

Cybersecurity as a compliance issue

The IT security of the essential and important entities is a matter for senior management. The Directive states that the management bodies must approve the risk-management measures, oversee the implementation and can be held liable for infringements (Article 20(1)).

The Directive expressly allows the Member States also to lay down the rules on criminal penalties for infringements of the national rules transposing the Directive (see recital 131).

Strict oversight by authorities

To enforce the requirements for essential and important entities, the NIS 2 Directive provides for comprehensive oversight by Member States’ authorities. The Directive explicitly mentions on-site inspections, ad hoc audits, security audits and security scans (Article 32).

The entities most affected are the essential ones that are subject to a comprehensive ex ante and ex post supervisory regime (see recital 122). These operators are required to systematically document the implementation of their risk-management system.

Infringements can result in administrative fines of €10 million or 2% of the worldwide annual turnover (Article 34(4)).

Action to take

Though the Member States now have two years to transpose the European requirements into national law, the entities concerned need to take action today.

The Directive encourages essential and important entities to incorporate cybersecurity risk-management measures into contractual arrangements with their direct suppliers and service providers (recital 85). The entities concerned should therefore check whether they are subject to regulation and, when entering into future contracts, ensure they implement the required measures with their service providers. Any subsequent change in the contractual basis will require the cooperation of the service provider (sometimes at a high price).

However, the most important lesson to be learned from past trends is that cybersecurity is not an onerous legal obligation, but is in the best interests of the enterprises and entities. The impact of a cybersecurity incident on these entities, as well as on society and the economy as a whole, may be far more drastic than any official measure to enforce legal requirements.