Among the plethora of new EU cybersecurity laws, some require positive action to self-identify to EU member state regulators. There may be a common belief that under NIS2 (Directive EU 2022/2555 on Network Information Security) EU member states will identify organisations as being in scope. Under the preceding directive, NIS1, the approach towards identifying organisations that fell within its scope varied between EU member states and certain member states designated organisations that fell within its scope. While NIS2 appears to emphasise that EU member states must identify organisations in scope, it requires organisations themselves to determine whether they fall within its scope and self-identify with a relevant EU member state regulator.
What is the action required?
If your organisation falls within the scope of NIS2 (see the criteria below), it must assess its current cybersecurity measures against the requirements of NIS2 and fix any gaps, if necessary, to comply with NIS2 by October 2024 when NIS2 becomes law in EU member states. Your organisation will also need to notify the relevant EU member state regulator that it is within the scope of NIS2 before 17 April 2025. For example, the German bill on NIS2 implementation names the Federal Office of Information Technology, Systems and Telecommunication for this purpose. Digital infrastructure organisations caught by NIS2 (see B(viii) below) will need to notify the relevant EU member state regulator by 17 January 2025.
Who will NIS2 apply to?
NIS2 applies a uniform method for determining the entities that fall within its scope, namely, entities that meet the following criteria:
A) Size: medium-sized or large enterprises (50 or more employees and an annual turnover over €10 million); and
B) Type of service: entities that operate within the sectors covered by the Directive and provide the following types of service:
a. Essential services
i. Energy (electricity, district heating and cooling, oil, gas, hydrogen)
ii. Transport (air, rail, water, road)
iii. Banking
iv. Financial market infrastructures
v. Health (health care providers, EU reference laboratories, research and development of medicinal products, manufacturers of basic pharmaceutical products and preparations, manufacturers of medical devices considered to be critical during a public health emergency)
vi. Drinking water
vii. Waste water
viii. Digital infrastructure (internet exchange point providers, DNS (Domain Name System) service providers, TLD name registries, cloud computing service providers, data centres, content delivery network providers, trust service providers, providers of public electronic communication networks, providers of publicly available electronic communications services)
ix. ICT service management (business-to-business)
x. Public administration
xi. Space
b. Important services
i. Postal and courier services
ii. Waste management
iii. Manufacture, production and distribution of chemicals
iv. Production, processing and distribution of food
v. Manufacturing (medical devices and in vitro diagnostic medical devices; computer, electronic and optical products; electrical equipment, machinery and equipment; motor vehicles, trailers and semi-trailers)
vi. Digital providers (online marketplaces, online search engines, social networking services platforms)
vii. Research organisations
Small organisations of the type listed above may also be caught, if:
- they are the sole provider of a service in the EU essential for the maintenance of critical societal or economic activities;
- disruption to the service could:
- have a significant impact on public safety, public security or public health;
- cause a significant systemic risk, especially for cross-border services; or
- they are of specific importance at a national or regional level for the particular sector or type of service.
NIS2 sets a maximum fine for non-compliance at 2% of global annual turnover or €10million, whichever is greater, and places a personal liability on senior managers.
Please contact us if you need support with assessing how NIS2 might affect your organisation and the compliance measures that may be necessary to meet its requirements.
Client Alert 2024-049