The NIS2 Directive should now be firmly bedded in. The deadline for Member States to implement the Directive was October 2024 so we should now have a clear idea about how this new regime operates in practice.

However, some Member States are still to implement the law and difficult questions remain. We look at three recurrent questions about the EU’s new cyber regime.

A network of new cyber laws

The Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“NIS2”) is a part of a jigsaw of new EU information security laws introduced to address the significant and ongoing cyber threat.

It is intended to strengthen the cyber defences of companies operating in essential or important sectors of the economy. It is similar to the previous NIS1 Directive, but the scope of NIS2 is broader, capturing a range of new sectors such as food production, waste management and manufacturing. However, as set out below, that scope is unclear and problematic.

As set out in our fully updated EU Digital Handbook, NIS2 sits alongside the EU’s new Digital Operational Resilience Act (DORA) which is aimed at the financial sector, and the Cyber Resilience Act which sets minimum cyber security standards for software and hardware. These are supplemented by other measures aimed at bolstering Member States’ responses to cyber-attacks, such as the Cyber Solidarity Act.

More to NIS2 than meets the eye

One important difference between NIS2 and many other parts of the EU Digital Package, is that it is a Directive. As such, it must be implemented by all the Member States. This has led to delays, with 11 Member States still to pass implementing legislation, and divergences, particularly in relation to the issues relating to director liability.

The headline obligations for private companies under NIS2 appear relatively straightforward. The principal obligations on essential and important entities are to:

• Secure their systems – Use appropriate and proportionate technical and organisational measures to manage the risks to their systems. While this must be done by reference to a relatively extensive list of criteria (see Article 21(2)), none of this should be particularly new or surprising.
• Notify incidents – Similarly, NIS2 adds to the long list of laws requiring security breaches to be notified to the relevant regulator. The new obligation to notify incidents with a significant impact is not necessarily coterminous with existing laws (for example, an incident under NIS2 might not involve personal data and so not trigger a notification under the GDPR) and the reporting cadence is more sophisticated and stricter (for example, an early warning report must be made within 24 hours). However, this should not require a big compliance lift.

However, compliance with NIS2 has not proved quite so straightforward in practice. We look at three recurrent questions.

Issue 1 – Who does it apply to?

As set out above, the scope of NIS2 has been expanded significantly to now include entities involved in a broad range of activities such as manufacturing, chemical production and distribution, food production, processing and distribution, and “research”. Some large organisations have relatively heterogeneous operations so mapping those activities onto NIS2 may not be straightforward.

One problem is understanding what some of the activities encompass. Some are tied back to extensive definitions. For example, “research organisations” are those whose primary goal is applied research or experimental development, as further defined in the 402-page-long Organisation for Economic Cooperation and Development’s Frascati Manual 2015: Guidelines for Collecting and Reporting Data on Research and Experimental Development (see recital 36 of NIS2).

In other cases, the definition is short and unclear. For example, food production, processing and distribution is defined by reference to Article 3(2) of Regulation (EC) No 178/2002: “any undertaking, whether for profit or not and whether public or private, carrying out any of the activities related to any stage of production, processing and distribution of food”. NIS2 only applies where this is done on an “industrial” basis, but does running a staff cafeteria bring you within the scope of this new law?

One of the most problematic categories is “managed service providers”, which is an entity that “provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely”. Does this include an entity within a group of companies that provides IT services to other members of the same group? The answer is far from clear and there are differences in approach.

Finally, NIS2 sets minimum cybersecurity requirements. Member States can, as part of their national implementing legislation, extend the scope of NIS2 by including stricter measures and adding additional entities. For example, the draft Spanish law adds entities in the nuclear sector and even draws Pepe Carvalho and other detective agencies into the net.

There are limits on the scope of NIS2, particularly the partial exemption for small and micro enterprises and for those subject to DORA. However, mapping the borders of NIS2 may take time and there is an obligation to register with the relevant competent authority, so this is not a decision that can easily be ducked.

Issue 2 – The Implementing Regulation

The next issue is the very detailed security obligations applicable under the Commission Implementing Regulation (EU) 2024/2690. This regulation applies to a subset of essential and important entities providing digital infrastructure and services, including managed service providers.

The requirements under this Implementing Regulation are extensive. For example, they extend to issues such as:

• Asset management obligations including a classification system for all assets, and asset inventory and a technical prohibition of the connection of removable media unless there is an organisational reason for their use.
• Wide-ranging employee-related obligations, including duties to vet new hires and establish a disciplinary process for those breaching information security policies.
• Detailed access control obligations, including use of multifactor authentication, mandatory blocking after a set number of failed log in attempts and logical separation of administrator systems.

Many of the obligations in the Implementing Regulation are sensible but affected entities will likely not comply with all of them. The Implementing Regulation therefore applies a partial “comply or explain” approach. Where an obligation is to be applied ‘where appropriate’, ‘where applicable’ or ‘to the extent feasible’, the relevant entity can choose not to do so, so long as that decision is documented (Article 2(2)). In other words, for entities caught by the Implementing Regulation there is a task to verify whether the requirements are met and justify any omissions.

Finally, while the Implementing Regulation only applies to entities providing digital infrastructure and services, it may well provide a de facto standard for other entities caught by NIS2. There may also be additional mandatory obligations under national implementing law, such as the need for a ‘bug bounty’ program under Belgian implementing law.

Issue 3 – Personal liability for directors

The final recurring question is the effect on the company’s management body. NIS2 is intended to make cyber a board room issue by, for example, introducing mandatory cyber training and requiring that the management approve and oversee NIS2 compliance.

Less welcome is the fact that the management board “can be held liable for infringements” of the obligation to apply appropriate cyber security measures. Added to that, regulators can in certain cases seek an order to suspend members of the management board.

The implementation of this obligation varies from jurisdiction to jurisdiction. The Italian implementing law does not appear to envisage directors being personally fined for breaches, whereas under the draft Polish law the management body can be personally liable for failure to ensure cybersecurity compliance, in the form of fines of up to 300% of their salary. Moreover, where management of a critical entity or an important entity is a multi-member body and no responsible person has been appointed, all members of the management will be jointly liable.

Part of the solution will be to check if that liability is covered by D&O Insurance. However, coverage is not always available for regulatory fines, particularly where there is individual culpability.

Conclusion

NIS2 is part of a plan by the EU to legislate cyber-attacks out of existence. While it will not apply in the UK, there are plans to mirror some of these developments by amending the UK implementation of NIS1 (e.g. to extend it to managed service providers) and introducing the new Cyber Security and Resilience Bill.

This deluge of new EU laws under the CRA, DSA, Data Act etc may not be entirely helpful and many organisations feel overwhelmed by their new obligations. Added to that, our experience is that grappling with the uncertainties in relation to the scope of NIS2 on top of the complex web of national NIS2 implementing laws has complicated compliance efforts, and the spectre of personal liability for directors can drive a cautious and defensive response. Having said that, cyber security should be a priority for all organisations – regardless of any regulatory sanction, a cyber-attack is a traumatic and costly affair.