The NIS 2 Directive ("Directive" or "NIS2") has been approved by the Council. The Directive will be published in the Official Journal of the European Union in the coming days and will enter into force on the twentieth day following its publication. Member States will have 21 months from the entry into force of the Directive to implement its provisions into their national law. The Directive addresses the shortcomings of NIS1 Directive, and sets forth a renovated framework for cybersecurity in EU.
In brief, the Directive includes
- a much wider scope than that of NIS1 Directive. The existing difference between operators of essential services and relevant service providers will be superseded by the new categories of essential and important entities. The new scope is based both on size cap and sectors. This entails that NIS2 will reach, notably, an extended amount of healthcare operators (including manufacturer of pharmaceuticals and medical devices), online marketplaces, online search engines, social networking social platforms, ICT service management, B2B service providers, public administrations, manufacturers, distributors and productors of chemicals, entities providing data centre services, research organizations, etc.
- a more detailed set of minimum compulsory security measures, including governance measures, internal organisation policies (for instance, internal procedures on incident handling, HR conducts, risk assessments and others);
- a focus on supply chain compliance, with a specific attention to most critical providers;
- an increase in the powers of competent authorities, particularly for essential entities, which will be subject to ex ante and ex post supervision;
- increased sanctions, for essential entities up to 10M euro, or 2% of turnover, and for important entities up to 7M euro, or 1.4% of turnover;
- criteria on jurisdiction, mostly based on main establishment (save from more detailed provisions for instance on electronic communication networks and services), alongside mutual cooperation procedures between authorities.
Next steps
What’s next for involved operators:
- assessing whether your business falls into the scope of the Directive;
- Check updates on sector based act such as the Regulation on digital operational resilience for the financial sector (DORA) and the Directive on the resilience of critical entities (CER),
- monitoring and verifying implementing acts on EU and national level;
- reviewing and updating governance and procedures within your company;
- assess your supplier's compliance, and strengthen contractual measures if needed;
- train management staff and employees on cybersecurity internal policies.
[View source.]