The directive called NIS2 — the Network and Information Security Directive 2 has to be transposed into the national law for each member state, which should happen by September 2024. The NIS2 will replace, as well as strengthen, the current NIS Directive (adopted in 2016), which places a number of cybersecurity requirements on: 

• operators of essential services (critical to the national infrastructure, economy, and society)  
• relevant digital service providers (such as cloud computer services, online search engines, and online marketplaces) across the EU.  

Why is the existing law going to be replaced?

First and foremost, this is because the EU wants to actually enforce the requirements, and not just have them listed on paper as a set of options that you can choose to (or choose not to) follow. That’s why the new law also includes penalties for those that do not obey the rules.

Another reason to replace the existing law is due to significant differences in the perception of “essential” or “relevant” services across EU member states. As a result, there are organisations that don’t need to comply with the NIS regulations in some countries, while they must adhere to them in others. This fragmentation has pushed the European Commission to fully clarify the matter. That’s how this can be explained in the most general sense. Now, let’s get into the details.  

What’s all the fuss about — 3 essential questions 

QUESTION 1: What are the new NIS2 obligations?

The NIS2 is mostly about risk management and reporting obligations.

Risk management measures include: 

• back-up management and data recovery, 
• incident handling, 
• risk analysis, 
• human resource, supply chain and system security, 
• encryption, 
• cybersecurity training, etc.  

Reporting obligations include faster incident reporting timelines: 

• a warning must be given within 24 hours after noticing a “significant” incident (the European Commission will define what is considered to be a significant incident later on), 
• full notification must be provided with a preliminary assessment within 72 hours after the incident, 
• a detailed final report must be given within 30 days after the incident, including a description of its impact, both on a national and an international level.  

For reference, as it is vaguely stated in the present NIS Directive, the notification of a threat should simply be given “without undue delay”.  

Also, the NIS2 aims to improve collaboration in terms of managing serious incidents that occur within the EU. To support these efforts and help with information sharing, they’ve established the EU CyCLONe (The European Cyber Crisis Liaison Organization Network).

QUESTION 2: What sectors will be affected?

There are many more sectors that fall under the scope of the NIS2, as compared to the NIS. The broader list not only includes healthcare, water supply, energy, and communication infrastructure, but also data centres, postal services, food production, the space sector, chemical manufacturing, and more. Public central and local administrative entities will be affected as well (excluding parliaments and central banks).

However, there is a size and revenue threshold for organisations operating within the above-mentioned industries — they will automatically fall under the NIS2 if they have at least 250 employees and their annual turnover reaches more than 50 million euros (or their annual balance sheet is more than 43 million euros). Each EU member state can also add some smaller organisations to the national list, if they consider them to be critical to the country, e.g., educational institutions.

QUESTION 3: What penalties does the NIS2 Directive impose?

In terms of penalties, the NIS2 Directive is quite similar to the GDPR and is just as serious. There will be no place for pretending; if a company doesn’t comply with the new regulations, it will have to pay — and pay a lot. Each member state will have to set “effective, proportionate, and dissuasive penalties” for breaches of the NIS2. In addition, member states will be able to implement administrative fines of up to 10 million euros or 2% of the total worldwide turnover of an entity, whichever is higher. This will pertain to breaches of the reporting obligation as well as risk management measures.  

How to prepare?

As I’ve already mentioned, the governments of the EU member states each have 21 months to adopt the new law and formally introduce it within their national legislations — and by then, companies that this applies to should be as well-prepared for it as possible.  

Even the UK, which formally doesn’t have to obey the new law, has expressed a desire to follow the EU in launching their reform since cybersecurity is one of the most critical issues for the country these days. This is especially important to companies that either fully or partially operate in the UK, so that they can begin to take the appropriate steps well in advance.  

But what steps are we talking about, exactly?

• Step #1: Stay informed. Read the official announcement and don’t panic — you have plenty of time to prepare, just don’t put things off until the last minute.  
  
  
• Step #2: Choose the right cybersecurity partner who will be able to guide you through the process when the time comes, and also help you introduce necessary innovations to your organisation. You can start talking to your short list of IT companies right now, in order to familiarise yourself with everything that they have to offer.  

At Future Processing, we will be helping our existing customers with all of this — and we will be happy to help any other organisations that reach out for assistance as well. We are at your disposal and more than willing to answer any cybersecurity-related questions that you may have.