Information & infrastructure security
The Second Network and Information Security Directive Act (NIS2)
What is the purpose of NIS2?
NIS2 seeks to enhance cyber security preparedness and response approaches across certain key sectors that are deemed critical or highly critical to civil society. NIS2 is an EU Directive (No. 2022/2557), meaning Member States are required to pass their own national laws to bring it into effect. It repeals and replaces a previous directive (NIS1) and will sit alongside the Digital Operational Resilience Act (DORA) which applies more narrowly to the financial sector.
Key provisions
- Applies to the public and private sectors. A distinction is made between 'essential' and 'important' entities based on the size of the entity and sector in which they operate.
- Large entities operating in certain sectors (listed in Annex I of NIS2) are deemed 'essential entities' and are subject to more active regulatory oversight and stricter penalties for non-compliance, whereas other medium and large entities (operating in the sectors listed in Annex II of NIS2) are designated as 'important entities' and are subject to regulatory interest if authorities become aware of non-compliance.
- Small businesses (fewer than 50 employees and turnover of less than EUR10 million) are in scope if they operate in certain sectors of 'high criticality'.
- In-scope organisations will have to undertake significant preparedness work and must be able to demonstrate their efforts. Some 'highly critical' entities have same-day reporting obligations upon discovery of a cyber incident, with 72 hour and on-demand reporting deadlines applying otherwise.
- NIS2 enhances the mechanisms for co-operation among EU Member States, through the NIS Co-operation Group and via the network of Computer Security Incident Response Teams (CSIRTs). This co-operation aims to facilitate co-ordinated responses to large-scale, crossborder cyber security incidents.
Where will NIS2 apply?
NIS2 applies to in-scope entities that operate, and have critical infrastructure located in, the EU.
Who will have obligations under NIS2?
- Most critical sectors are newly introduced by NIS2 with only digital providers falling in scope of NIS1. The new sectors are research, food distribution and production, postal and courier services, waste management, manufacturing, and production and distribution of chemicals.
- Sectors covered by NIS2 are divided into 'sectors of high criticality' and 'other critical sectors.
- Organisations contracting with in-scope entities are likely to see contractual duties passed on to them as supply chain security is a key focus of the preparedness work NIS2 demands.
Highly critical sectors (including new sectors and sectors also subject to direct requirements under DORA) are:
- Health
- Energy
- Transport
- Digital infrastructures
- Drinking water
- Banking
- Financial markets
- Waste water
- Space
- ICT service management
- Public administration
Other critical sectors are:
- Digital providers
- Waste management
- Manufacturing
- Chemicals manufacture and distribution
- Postal services
- Food production and distribution
- Research
Are there sanctions for non-compliance?
Each Member State must designate one or more national authorities to be responsible for implementing NIS2. These authorities will have powers to audit entities, demand information, issue binding instructions, and impose fines for non-compliance.
The penalty framework provides for fines of at least up to EUR10 million or 2% of the worldwide annual turnover for essential entities and up to EUR7 million or 1.4% of the worldwide annual turnover for important entities.
Key dates and deadlines
- 16 January 2023 – NIS2 entered into force.
- 17 October 2024 – EU Member States must adopt new legislation to comply with NIS2.
- 18 October 2024 – EU Member States must begin enforcing NIS2.