January 16, 2023, Command Regarding measures for a high common level of cyber security across the Union (“NIS2”) came into effect.
NIS2 is a network and information system security directive (seeNIS Directive) and introduce a number of changes, such as bringing more sectors and services into the scope of NIS regulations and introducing an updated (and more stringent) regime of security obligations and incident notification requirements.
Summary of major changes
- Extended Range – Under previous NIS Directives, the obligations applicable to an entity depended on its status as an “operator of essential services” (“OES) or “Digital Service Provider” (“DSPs”). NIS2 replaces this classification with “essential” and “significant” entities based on the sector and size of the business. NIS2 greatly expands the types of sectors and entities covered by its scope. Essential and critical entities include, for example, public electronic telecommunications network and service providers, data center services, cloud computing service providers, wastewater and waste management, manufacturers of critical products, food producers and distributors, Includes social networking service platforms, postal and courier companies. Service and government agencies, and others in the healthcare sector (for example, pharmaceutical research and development and pharmaceutical manufacturing). In contrast to previous regimes, both essential and material entities are subject to the same set of obligations.
- Cyber Security Risk Management – As with previous NIS Directives, entities within the scope of NIS2 must implement appropriate and proportionate technical and organizational measures to manage cybersecurity risks and prevent and minimize the impact of potential incidents. must be taken. In addition, NIS2 contains a list of security measures that entities must implement at a minimum. These include incident handling and crisis management, vulnerability handling and disclosure, policies and procedures for evaluating the effectiveness of cybersecurity risk management measures, basic computer hygiene practices and cybersecurity training, cryptography effective use of human resources, security of human resources, access control policies and assets. management. Governing bodies of critical and critical entities should approve these cybersecurity risk management measures, oversee their implementation, and be held accountable for violations by the entity. To do so, management must follow specific and regular cybersecurity training.
- Risk and incident management and collaboration – On the other hand, under the NIS Directive, only the DSP was required to notify incidents.make a big impact“Under NIS2, both essential and critical entities are required to notify the competent authority or Computer Security Incident Response Team (CSIRT) of an incident.”Significantly impact service delivery”. To comply with these notification obligations, essential and material entities must submit to the CSIRT or competent authority.
- without undue delay, and within 24 hours of becoming aware of the serious incident, whether the serious incident is suspected to have been caused by illegal or malicious activity, or may have cross-border consequences. early warning to indicate if there is;
- Incident notification, without undue delay and in any event within 72 hours of becoming aware of the significant incident, including an initial assessment of the significant incident, including severity and impact, and indications of compromise.
- A final report containing a detailed description of the incident, its severity and impact, the types of threats or root causes that likely caused the incident, and any final report that has been applied and is in progress, within one month of submission of the incident notification; countermeasures and, where applicable, the cross-border consequences of the incident.
While the NIS Directive permitted competent authorities or CSIRTs to notify the public of incidents in certain cases, NIS2 requires essential or critical entities to notify recipients of serious incident services without delay. It includes an obligation to know. Member States also require essential and critical entities to use certain ICT products, ICT services and ICT processes certified under the European Cybersecurity Certification Scheme (adopted in accordance with the EU Cybersecurity Law 2019). may request.
- Execution – NIS2 establishes a minimum list of administrative sanctions for breach of cybersecurity risk management and reporting obligations. These sanctions include binding instructions, orders to implement security audit recommendations, orders to align security measures with her NIS2 requirements, and administrative fines. In relation to administrative fines, NIS2 distinguishes between essential and critical entities and requires member states to provide authorities with the ability to impose the following administrative fines:
- At least up to €10 million or 2% of global annual turnover for essential entities.
- For significant entities, at least up to €7 million or 1.4% of annual global turnover.
NIS2 also introduces a clause on the liability of natural persons holding senior management positions in the entities within its scope.
In general, essential and material entities are subject to the jurisdiction of the Member State in which they are established and, in the case of providers of public electronic communications networks or services, to the Member State in which they provide their services. Certain types of entities are under its jurisdiction, including cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines, and providers of social networking platforms. . Member States in which they have major facilities. If not established in the European Union, these entities must appoint their EU representatives in the Member States in which their services are provided.
Member States have 21 months to transpose NIS2 into national law.
Organizations should begin preparing for the implementation of NIS2 member states and assess whether any services or activities are subject to obligations under NIS2. Entities within scope should conduct a thorough assessment of new security, risk management, and incident response requirements to identify potential compliance gaps. This may include ensuring that new security controls and incident response obligations flow throughout the supply chain.