Cybersecurity at the Top Table – New cybersecurity laws on the way – NIS2

The NIS2 Directive will be published in the Official Journal of the EU in the coming days and will come into force 20 days following its publication. Member States will then have 21 months to introduce national law transposing the NIS2.

NIS2 will replace the NIS Directive , which was the first EU wide cybersecurity law. NIS2 will expand upon the scope of the NIS Directive, harmonizing and strengthening cybersecurity risk management, governance and incident reporting, and enhancing enforcement powers and sanctions for non-compliance.
The new rules are important not just for those entities within scope but also for anyone providing services to or collaborating with those entities.

Expanded Scope

Size Cap
All medium (50 + employees and turnover of up to €50m) and large entities (250 + employees and turnover in excess of €50m) operating in the sectors covered by NIS2 must comply with the new requirements.

Sectors

NIS2 moves away from Operators of Essential Services and Digital Service Providers to Essential Entities and Important Entities.
Essential Entities
• Energy – Electricity; District heating and cooling; Oil; Gas; Hydrogen.
• Transport – Air; Rail; Water; Road.
• Banking
• Financial market infrastructures
• Health
• Drinking Water
• Waste Water
• Digital infrastructure
• Public Administration
• Space

Important Entities
• Postal and courier services
• Waste management
• Manufacture, production and distribution of chemicals
• Food production, processing and distribution
• Manufacturing – medical devices and in vitro diagnostic medical devices; computer, electronic and optical products; electrical equipment; machinery and equipment n.e.c.; motor vehicles, trailers and semi-trailers; other transport equipment.
• Digital providers – online marketplaces; online search engines; social networking services platform.

The NIS2 Directive will also apply to some entities regardless of their size including:
• public electronic communications networks or publicly available electronic communications services
• trust service providers
• top–level domain name registries and domain name system (DNS) service providers
• the entity is a public administration entity as defined
• the entity is the sole provider of a service in a Member State
• a potential disruption of the service provided by the entity could have an impact on public safety, public security or public health
• a potential disruption of the service provided by the entity could induce systemic risks, in particular for the sectors where such disruption could have a cross-border impact
• the entity is critical because of its specific importance at regional or national level for the particular sector or type of service, or for other interdependent sectors in the Member State
• the entity is identified as a critical entity pursuant to the CER Directive .
Member States are responsible for establishing a list of such entities.

Other – Supply Chain Risk Assessments

If you provide services to entities within the scope of the NIS2 or are a research or academic institution, you may now need to demonstrate cybersecurity compliance to ensure that you can continue to provide services to/cooperate with those entities subject to the new rules once NIS2 is introduced in Ireland.
Exemptions

NIS2 Directive will not apply:
• To public administration entities that carry out activities in the areas of public security, law enforcement, defence or national security
• Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in NIS2.

Risk Management

Will have to include at least:
• risk analysis and information system security policies;
• incident handling (prevention, detection, and response to incidents);
• business continuity and crisis management;
• supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers such as providers of data storage and processing services or managed security services;
• security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
• policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures;
• the use of cryptography and encryption.

Governance

Management Bodies will have to:
• Approve the cybersecurity risk management measures
• Supervise its implementation
• Be accountable for the non-compliance by the entities
• Follow specific trainings, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity.

Incident Reporting

Both “Incidents” and “Cyber Threats” will have to be reported.
Incidents must be reported within 24 hours and notified with 72 hours after having become aware of the incident with a final report to issue within one month of notification.
Cyberthreats must be notified to service recipients without delay.

Sanctions

Fines – for Essential Entities of €10,000,000 or 2% of the total worldwide turnover of the undertaking to which the entity belongs in the preceding financial year; for Important Entities of €7,000,000 of 1.4% of the total worldwide turnover of the undertaking to which the entity belongs in the preceding financial year.
Criminal Penalties – may be introduced.
Management Bodies – anyone exercising management responsibilities may be held personally liable or may be temporarily banned from discharging managerial responsibilities until action has been taken to bring the entity into compliance.
Public Statement – Entities may be obliged to issue a public statement on any infringement and name any individual responsible for that infringement.

Getting Ready

Every organization should assess if it is within scope of NIS2 or provides services to an entity within scope and, where necessary, take measures to ensure it can comply with the risk management, governance and reporting requirements of the NIS2 once introduced.
As Ireland may opt to introduce more stringent measures than those imposed by NIS2, entities within scope should keep a close eye on the Irish legislation once it is introduced and conduct a further risk assessment and compliance exercise at that time.