The NIS2 Directive: New rules on cybersecurity

The digitalisation has been a decisive condition for the economic growth in Europe in recent decades, but the digitalisation and our increased use of digital technology and network-based services involve a number of risks to our society as a whole, businesses, public institutions and to us as individuals. The digital development increases already existing risks and creates entirely new risks.

The most important initiative so far within cybersecurity is the final adoption of the “Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148” (EU) 2016/1148” (COM/2020/823 final) – also known as NIS2.

The European Parliament finally adopted the directive on 10 November 2022, and the directive will come into force 20 days from that date. The NIS2 Directive must be implemented into Danish legislation no later than 21 months after the coming into force of the directive, meaning around 1 September 2024.

The NIS2 Directive is a revision of the present NIS Directive but due to the extent of the amendments and the level of the regulation, it is in fact a quite new regulation. NIS2 is a minimum harmonisation directive, and each member state may therefore adopt regulations that ensure a higher level of cybersecurity nationally.

NIS2 contains requirements aimed at the member states (e.g. requirements for a national cyber strategy and duties of supervision) as well as requirements aimed at businesses and public institutions (e.g. security management and requirements for reporting and liability).

NIS2 Directive expands the scope and significantly tightens requirements

The purpose of the NIS2 Directive is to further strengthen and streamline cybersecurity and the resistance against cyber threats across the EU for businesses within a large number of sectors and for public institutions which are considered crucial for economy and society. The purpose is not only to ensure a well-functioning Internal Market but more generally to contribute to ensuring the security of the citizens and businesses of the EU.

Even though it appears from the annexes to the NIS2 Directive which sectors, subsectors and types of entities are covered, it still remains to be clarified which specific Danish businesses and public institutions - called entities in the Directive - will be covered by the NIS2 Directive. This is due to the fact that the definition of the types of entities in the specific sectors is not clear and that this assessment often depends on the specific circumstances of the entity. In addition, the Member States may decide whether certain public entities are to be covered by or exempted from the directive. However, it is clear that the NIS2 Directive expands the scope significantly compared to the NIS Directive as far more sectors are now covered, including public administration, the waste water sector and the food industry.

In addition to the expanded scope, the NIS2 Directive significantly tightens the requirements for security management within the entities covered as the requirements for risk management, documentation and reporting are tightened. Increased regulatory scrutiny and more stringent sanctions are also introduced.

Which entities will be covered by the NIS2 Directive?

In general, the NIS2 Directive applies to public and private entities that are categorised as “essential” or “important” entities and provide services or carry out their activities within the EU. These two types of entities are described in an annex to the Directive.

The concept “essential entities” covers public and private entities within the following sectors:

• Energy (electricity, district heating and cooling, oil, gas and hydrogen)
• Transport (air, rail, water and road)
• Banking (credit institutions)
• Financial market infrastructures (trading venues)
• Health (healthcare providers and pharmaceutical manufacturers, etc.)
• Drinking water and waste water
• Digital infrastructure (providers of cloud services, data centres, domain name systems (DNS), top level domain registers (TLD) and public communications networks)
• Information and communications technology providers (ITC services)
• Providers of managed services and managed security services
• Public administration (except for the Danish Parliament, the courts and Danmarks Nationalbank)
• Space (operators of ground-based infrastructure).

The concept “important entities” covers public and private entities within the following:

• Postal and courier services
• Waste management
• Manufacture, production and distribution of chemicals
• Food production, processing and distribution
• Manufacturing of e.g. electronic products machines and vehicles
• Digital providers (online marketplaces and online search engines and social networking services)
• Research (institutions of higher education and research institutions).

Which entities are exempted from the NIS2 Directive?

Micro businesses and small businesses, i.e. businesses with less than 50 employees and an annual turnover or total annual balance of less than EUR 10 million, are generally not covered by the NIS2 Directive, notwithstanding that they are categorised as essential or important entities. In addition, the Member States may decide to exempt entities within the military, national security and enforcement.

Despite their size, certain micro businesses and small business are still covered by the NIS2 Directive. These are:

• Providers of public electronic communications networks or publicly available electronic communications services
• Trust service providers (validation services)
• Providers of top level domain name registers (TLD) and domain name systems (DNS)
• Entities that are sole providers of a service in a Member State which is essential to the maintenance of crucial social or economic activities
• Entities providing services that are crucial to society, the public sector or a specific sector.

The NIS2 Directive also applies to public entities within the State (as defined by each Member State). The Directive also applies to entities at regional level provided that the termination of the services may be of essential importance to crucial economic or social activities. Finally, each Member State may decide that the Directive is also to apply locally, i.e. at municipal level.

What are the most important requirements of the NIS2 Directive?

The most important requirements for businesses and public entities cover risk management and security measures, the duty to report, managerial anchoring and supervision, enforcement and sanctions.

Risk management and security measures

The entities covered by the present NIS Directive are to take appropriate and proportional technical and organisational measures to manage security risks and limit the damage of a security incident.

The NIS2 Directive continues these requirements and lists additional requirements for appropriate security measures which are now to cover the following as a minimum:

• Policies concerning risk analysis and information security
• Incident management
• Operational continuity and crisis management (back-up etc.)
• Security of supply chain, including management/security of suppliers
• Security in connection with purchase, development and maintenance of network and information systems
• Policies and procedures to assess the efficiency of the measures to control cybersecurity risks
• Guidelines concerning basic “computer hygiene” and training concerning cybersecurity
• Policies concerning use of cryptography and encryption
• Staff safety, access control and asset management
• Securing of internal communication systems.

Duty to report

In connection with the NIS Directive, national Computer Incident Response Teams (CSIRT) were set up the purpose of which was to report on significant incidents. In Denmark, this role is carried out by the Centre for Cybersecurity (CFCS). Entities covered by the NIS2 Directive must also report the competent authority or the CSIRT about significant incidents and cyber threats as quickly as possible and within 24 hours.

An incident is considered significant if the incident or cyber threat (i) has caused or has the potential to cause substantial operational disruption or financial losses for the entity concerned, or (ii) the incident has affected or has the potential to affect other natural or legal persons by causing considerable material or non-material losses.

Managerial anchoring

The responsibility for complying with the NIS Directive, including the security initiatives and level, is placed with the provider of the services in question, meaning the legal entity.

The NIS2 Directive tightens the responsibility as the responsibility for violating the NIS2 Directive is not only placed with the entity but also the entity’s management.

The management must therefore approve the risk management measures taken by the entity in relation to cybersecurity and supervise the implementation and the maintenance thereof.

To ensure sufficient competencies, the members of the management must regularly attend courses to achieve the required knowledge, insight and skills to understand and assess cybersecurity risks and management practices and their impact on the entity’s operations. It remains to be laid down how the members of the management may in practice and must fulfil the requirement for cybersecurity-related training.

Supervision, enforcement and sanctions

According to the NIS Directive, the competent national authorities are to supervise the fulfilment of the Directive’s requirements for security and notification based on specific incidents, and the competent authorities are competent to issue certain orders.

The NIS2 Directive tightens the duty to supervise as the competent national authorities are regularly to proactively supervise the essential entities while important entities are still subject to follow-up supervision. As regards important entities, documentation, a sign or information must be available that the important entity does not fulfil the requirements for security and reporting of incidents. The competent authority may issue warnings and orders and - which is especially important - temporarily suspend or request that a person with managerial responsibility (at CEO or General Counsel level) is temporarily suspended from performing management functions at the entity.

The NIS2 Directive also tightens the sanction options. In addition to having to ensure that violations are subject to sanctions that are effective, are reasonably proportionate to the violation and have a deterrent effect, the competent authority of the specific Member State now has a specific option to impose administrative fines if the entity does not fulfil the Directive’s requirements for risk management measures or the duty to report:

• Essential entities may be subject to fines of a maximum of at least EUR 10 million or 2 % of the entity’s total worldwide annual turnover.
• Important entities may be subject to fines of a maximum of at least EUR 7 million or 1.4 % of the entity’s total worldwide annual turnover.

It is up to each Member State to decide whether public authorities are to be subject to fines.

Other regulation within cybersecurity

Parallel with the NIS2 Directive, other regulation is being negotiated concerning cybersecurity within the EU. This includes, in particular, the Directive on the resilience of critical entities (CER) and the Regulation on digital operational resilience for the financial sector (DORA). The latter was also finally adopted by the European Parliament today. Both sets of rules are special regulations in relation to the NIS2 Directive and should be included specifically in the assessment of applicable requirements within cybersecurity.

Is your business or public entity ready?

Based on the NIS2 Directive's distinctive expansion of the scope of the rules, it is important that all public as well as private entities already now consider the Directive and assess whether they are covered by it.

If the entity is covered by the NIS2 Directive, we recommend that:

• a (revised) overview is prepared of all information assets and business procedure for the purpose of a risk assessment and prioritisation
• a gap analysis is made of the requirements of the NIS2 Directive compared to already implemented measures, and
• a plan is made for the implementation and maintenance of the requirements of the NIS2 Directive.

Especially as regards businesses and public administration entities which have not previously been covered by the NIS Directive, this may involve significant administrative and financial costs to implement the NIS2 Directive. But entities already covered by the NIS Directive will also have to allocate resources to assess and implement the NIS2 Directive. In both situations, it is decisive to anchor the implementation of the NIS2 Directive into the top management and to ensure correct and sufficient resources to carry out the implementation.

Horten can help you if your business or public authority is covered by NIS2 or you wish to clarify whether NIS2 applies to you.