Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Tony Curzon-Price
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina James
    • Maria Constantin
    • Sophia Yakhno
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU

January 12, 2023By Preiskel & Co

Background

The NIS Directive was the first piece of EU-wide legislation on cybersecurity, and aimed to achieve a high common level of cybersecurity across the EU.

NIS 2 Directive[1] has expanded its scope by effectively requiring more entities and sectors to take measures and is therefore widely relevant most of the technology sector.

It aims to strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce stricter enforcement requirements, including harmonised EU sanctions.

The NIS 2 Directive was published in the Official Journal of the European Union on 27 December 2022 and EU Member States have 21 months (by 17 October 2024) from the entry into force to transpose the provisions of the Directive into their national law.

Those measures shall apply from 18 October 2024, at which point the Cybersecurity Directive ((EU) 2016/1148) (“NIS 1 Directive”) will be repealed and replaced.

Scope

The NIS 2 Directive broadens the scope of the NIS 1 Directive and applies to all entities (public or private) that provide services or carry out activities in the EU which are either an “essential” or an “important” entity in a defined list of sectors. These entities are further divided into:

  • sectors of high criticality, such as energy, health, financial market infrastructures; and
  • other critical sectors, such as postal, courier services, digital providers and the production and distribution of chemicals.

The NIS 2 Directive includes exemptions related to size limits, so that small and micro businesses are excluded in several cases and the possibility for member states to exempt specific organisations involved in national security, public security, defence, or law enforcement.

The three categories of digital service providers (DSPs) previously covered under the NIS 1 Directive remain covered under the NIS 2 Directive:

  • cloud service computing providers are covered as part of the digital infrastructure sector;
  • online marketplaces and search engines are covered as digital providers;
  • a wider range of technology providers are now also covered including social network platforms, data centre providers and managed service providers.

Additional measures required

The NIS 2 Directive requires essential and important entities to implement additional cybersecurity risk-management measures proportionate to the cybersecurity risk, such as:

  • risk analysis and information security policies;
  • business continuity, such as backup management and disaster recovery;
  • crisis management and incident handling; and
  • supply chain security, including security concerning the relationships between each entity and its direct service providers, to ensure basic ‘cyber hygiene’ practices and cybersecurity training.

Additional responsibility of management

The cybersecurity responsibilities for management of important and essential entities are increased by the NIS 2 Directive. Management is required to approve the additional security measures required (as detailed above) and to monitor their implementation. Management can be held liable if the organisation does not comply with the requirements set out in the NIS2 Directive (or implementing legislation).

Reporting

Essential and important entities must notify, without undue delay, the computer security incident response team (“CSIRT”) or, where applicable, the competent authorities, of any incident having a significant impact on the provision of their services. The entities must first send an early notification to the CSIRT or the competent authority without delay and no later than 24 hours after becoming aware of the event. Without delay, but in any case within 72 hours of having detected the significant event, an incident notification should be submitted. The incident notification must include an initial assessment of the severity and impact, and where possible, it should specify the indicators. In addition, a final report must be submitted within one month of the submission of the incident notification.

Supervision

Under the NIS2 Directive, different rules apply to essential entities in the event of a cybersecurity breach:

  • Essential entities: are subject to fines of EUR 10 million or 2% of the total annual global turnover of the entity, whichever higher. They may also be subject to strict audits (including on-site inspections and off-site supervision), regular and targeted security audits carried out by the relevant authority, and ad hoc audits when justified by a significant event or a fundamental breach of the provisions of the NIS 2 Directive
  • Important entities: are subject to a maximum fine of EUR 7 million or 1.4% of the total annual global turnover of the entity in the previous financial year, whichever higher. Investigations are only carried out ex-post if the supervisory authority receives evidence or information that an important entity is suspected of non-compliance with the NIS 2 Directive.

Registration

Certain organisations (including DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, providers of online marketplaces, online search engines and social media platforms) will be required to provide information about themselves to the competent authority for the European Union Agency for Cybersecurity (“ENISA”) to establish a register of these entities.

Strengthened European cooperation

The NIS 2 Directive establishes the EU-CyCLONe for the regular sharing of information between member states and EU bodies and for the coordinated management of large-scale cyber security incidents. Those include the incidents that significantly affect at least two EU member states or exceed the response capacity of one member state.

Find the NIS 2 Directive here.

Please contact Jose Saras if you have any questions about the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.

[1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (“NIS 2 Directive”)

Leave Comment

Cancel reply

Your email address will not be published. Required fields are marked *

clear formSubmit

Latest Preiskel & Co blog posts
  • General EU Requirements for Cookie Banners – EDPB Task Force Report
    January 27, 2023
  • Ofcom Launches Investigation into BT Following Suspected Breaches of Consumer Protections Post Implementation of EECC
    January 27, 2023
  • Important decision impacting how companies must provide personal data requested by data subjects under their access rights
    January 19, 2023
  • NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU
    January 12, 2023
  • Saving the WWW from the W3C
    December 20, 2022
  • Imminent US adequacy decision to be met by legal challenges from privacy advocates
    December 13, 2022
  • Preiskel & Co Client, Nadira Murray’s awards for film “Winners”
    December 13, 2022
  • Telecoms Security Framework (TSF) – Background and Requirements
    December 8, 2022
  • Updated EU Commission decision paves way for 5G on the road and in-flight connectivity innovation
    November 29, 2022
  • Controller Binding Corporate Rules – EDPB adopts new recommendations on the application for approval and the elements and principles of the Rules
    November 25, 2022
  • ICO reveals new transfer risk assessment tool
    November 25, 2022
  • Ofcom publishes new rules for telecoms providers to combat scam calls
    November 23, 2022

The Preiskel Blog

  • General EU Requirements for Cookie Banners – EDPB Task Force Report 27 Jan 2023
  • Ofcom Launches Investigation into BT Following Suspected Breaches of Consumer Protections Post Implementation of EECC 27 Jan 2023
  • Important decision impacting how companies must provide personal data requested by data subjects under their access rights 19 Jan 2023
  • NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU 12 Jan 2023

Preiskel news

  • Danny Preiskel to speak at the Westminster eForum policy conference ‘Next steps for the UK mobile industry’
  • Preiskel & Co’s corporate team advised IXAfrica regarding a highly significant technology infrastructure investment for East Africa
  • Preiskel & Co’s Technology M&A Global Practice Guide published by Chambers
  • Preiskel & Co Client, Nadira Murray’s awards for film “Winners”
Preiskel tweets
  • Danny Preiskel to speak at the @WeFEvents eForum policy conference ‘Next steps for the UK mobile industry’. Find ou… https://t.co/ELDiFBj6Zo2 days ago
  • General EU Requirements for Cookie Banners – EDPB Task Force Report. Find out more here: https://t.co/2yGdpzOEZp #cookies #EDPB7 days ago
  • Ofcom Launches Investigation into BT Following Suspected Breaches of Consumer Protections Post Implementation of EE… https://t.co/7hgZjWQ16T8 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy

   

We use analytic cookies to help us understand how many visitors we have and how they move around our website. This helps us improving our website. You can accept or reject our use of analytic cookies and update your choices at any time. See our Cookie Policy to learn more about how we use essential and analytic cookies and to update your choices.OKReject analyticsCookie policy