Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU

January 12, 2023By Preiskel & Co

Background

The NIS Directive was the first piece of EU-wide legislation on cybersecurity, and aimed to achieve a high common level of cybersecurity across the EU.

NIS 2 Directive[1] has expanded its scope by effectively requiring more entities and sectors to take measures and is therefore widely relevant most of the technology sector.

It aims to strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce stricter enforcement requirements, including harmonised EU sanctions.

The NIS 2 Directive was published in the Official Journal of the European Union on 27 December 2022 and EU Member States have 21 months (by 17 October 2024) from the entry into force to transpose the provisions of the Directive into their national law.

Those measures shall apply from 18 October 2024, at which point the Cybersecurity Directive ((EU) 2016/1148) (“NIS 1 Directive”) will be repealed and replaced.

Scope

The NIS 2 Directive broadens the scope of the NIS 1 Directive and applies to all entities (public or private) that provide services or carry out activities in the EU which are either an “essential” or an “important” entity in a defined list of sectors. These entities are further divided into:

  • sectors of high criticality, such as energy, health, financial market infrastructures; and
  • other critical sectors, such as postal, courier services, digital providers and the production and distribution of chemicals.

The NIS 2 Directive includes exemptions related to size limits, so that small and micro businesses are excluded in several cases and the possibility for member states to exempt specific organisations involved in national security, public security, defence, or law enforcement.

The three categories of digital service providers (DSPs) previously covered under the NIS 1 Directive remain covered under the NIS 2 Directive:

  • cloud service computing providers are covered as part of the digital infrastructure sector;
  • online marketplaces and search engines are covered as digital providers;
  • a wider range of technology providers are now also covered including social network platforms, data centre providers and managed service providers.

Additional measures required

The NIS 2 Directive requires essential and important entities to implement additional cybersecurity risk-management measures proportionate to the cybersecurity risk, such as:

  • risk analysis and information security policies;
  • business continuity, such as backup management and disaster recovery;
  • crisis management and incident handling; and
  • supply chain security, including security concerning the relationships between each entity and its direct service providers, to ensure basic ‘cyber hygiene’ practices and cybersecurity training.

Additional responsibility of management

The cybersecurity responsibilities for management of important and essential entities are increased by the NIS 2 Directive. Management is required to approve the additional security measures required (as detailed above) and to monitor their implementation. Management can be held liable if the organisation does not comply with the requirements set out in the NIS2 Directive (or implementing legislation).

Reporting

Essential and important entities must notify, without undue delay, the computer security incident response team (“CSIRT”) or, where applicable, the competent authorities, of any incident having a significant impact on the provision of their services. The entities must first send an early notification to the CSIRT or the competent authority without delay and no later than 24 hours after becoming aware of the event. Without delay, but in any case within 72 hours of having detected the significant event, an incident notification should be submitted. The incident notification must include an initial assessment of the severity and impact, and where possible, it should specify the indicators. In addition, a final report must be submitted within one month of the submission of the incident notification.

Supervision

Under the NIS2 Directive, different rules apply to essential entities in the event of a cybersecurity breach:

  • Essential entities: are subject to fines of EUR 10 million or 2% of the total annual global turnover of the entity, whichever higher. They may also be subject to strict audits (including on-site inspections and off-site supervision), regular and targeted security audits carried out by the relevant authority, and ad hoc audits when justified by a significant event or a fundamental breach of the provisions of the NIS 2 Directive
  • Important entities: are subject to a maximum fine of EUR 7 million or 1.4% of the total annual global turnover of the entity in the previous financial year, whichever higher. Investigations are only carried out ex-post if the supervisory authority receives evidence or information that an important entity is suspected of non-compliance with the NIS 2 Directive.

Registration

Certain organisations (including DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, providers of online marketplaces, online search engines and social media platforms) will be required to provide information about themselves to the competent authority for the European Union Agency for Cybersecurity (“ENISA”) to establish a register of these entities.

Strengthened European cooperation

The NIS 2 Directive establishes the EU-CyCLONe for the regular sharing of information between member states and EU bodies and for the coordinated management of large-scale cyber security incidents. Those include the incidents that significantly affect at least two EU member states or exceed the response capacity of one member state.

Find the NIS 2 Directive here.

Please contact Jose Saras if you have any questions about the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.

[1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (“NIS 2 Directive”)

Latest Preiskel & Co blog posts
  • Apple’s Vision Pro Mixed Reality Headset Unveiled
    June 8, 2023
  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue
    June 7, 2023
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report
    May 30, 2023
  • Important EU Court decision for publishers and AdTech suppliers 
    May 18, 2023
  • Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling
    May 17, 2023
  • GDPR-compensation for non-material damage not automatic, CJEU confirms
    May 17, 2023
  • Overview of the UAS Ofcom Drone Licence
    May 16, 2023
  • French watchdog directs Meta to change its “discriminatory” ad verification criteria
    May 11, 2023
  • Competition authorities around the world versus dominance in digital markets
    May 3, 2023
  • EDPB clarifies personal data breach notification requirements for non-EU controllers
    April 25, 2023
  • CMA probe spurs Google to change billing practices
    April 19, 2023
  • OpenAI’s ChatGPT banned in Italy
    April 18, 2023

The Preiskel Blog

  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue 7 Jun 2023
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report 30 May 2023
  • Important EU Court decision for publishers and AdTech suppliers  18 May 2023
  • Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling 17 May 2023

Preiskel news

  • Preiskel & Co participating as co-sponsor of Corum Group’s upcoming London Merge Briefing event
  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, a panelist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
Preiskel tweets
  • Apple’s Vision Pro Mixed Reality Headset Unveiled. Find out more here: https://t.co/ifWRgSMY1ryesterday
  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue. Find out more here: https://t.co/1SrcVUKUDB2 days ago
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report findings. Please find out m… https://t.co/7jJApBSkm210 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy