The NIS2 Directive: How far does it reach?
The NIS2 Directive is one of the latest efforts by EU lawmakers to increase cybersecurity across the bloc and keep pace with the challenges of an increasingly digitalised society and growing cyber threats.
As its name suggests, the NIS2 Directive is not the EU’s first attempt to implement harmonised cybersecurity rules at EU level. It follows an earlier legislative initiative with similar objectives, the NIS Directive.
Nevertheless, when comparing the NIS2 Directive with its predecessor, it becomes clear that the new Directive, which must be implemented into national law of the EU Member States by 17 October 2024, ushers in a new era of EU cybersecurity legislation and is not just an update of the existing legal framework.
A new era of EU cybersecurity legislation
First, there is a clear (r)evolution regarding the substantive cybersecurity requirements that Member States must implement in their national laws.
Companies covered by the NIS2 Directive must take a proactive approach to cybersecurity by implementing robust cyber governance and cyber risk management measures. This means that the covered companies must implement and maintain a cybersecurity program that covers at least the following:
- Risk analysis and information security policies
- Incident management
- Business continuity
- Supply chain security
- Acquisition of network and information systems
- Development and maintenance
- Review of cybersecurity risk management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies and procedures for using cryptography
- Personnel security
- Access control policies and asset management
- Multi-factor authentication or continuous authentication solutions
- Secure voice, video and text communications as well as emergency communications systems.
The development and practical implementation of the cybersecurity program must be overseen by the company’s senior management, who should receive cybersecurity training to enable them to do so effectively and be prepared to take on the additional responsibility.
Since the NIS2 Directive only sets a minimum standard for harmonisation, EU Member States may decide to set more stringent cybersecurity requirements in their national implementing laws. With this in mind, the companies concerned must identify the specific requirements that exist at Member State level. In addition, competent authorities at EU and Member State level may issue further guidance that should be taken into account when determining whether the company’s cybersecurity risk management programme meets the expectations of regulators.
In addition to cyber governance and cyber risk management measures, the NIS2 Directive sets out strict incident reporting requirements, with demanding deadlines of just 24 hours for the first “early warning” to the relevant Computer Security Incident Response Teams or the competent authority. These incident reporting requirements will likely require affected companies to revise their internal incident handling processes.
Companies within the scope of the NIS2 Directive
The NIS2 Directive not only marks a new era in terms of substantive cybersecurity requirements, it also significantly changes the scope of these requirements.
With the NIS2 Directive, the EU legislator abandons the previous approach (under the former NIS Directive) where Member States had to specifically identify the companies subject to the most stringent obligations. Instead, the NIS2 Directive directly defines the companies falling within the scope, without any further intervention by Member States (although Member States still have some flexibility to subject additional companies to their local NIS2 implementation law).
Annexes I and II to the NIS2 Directive provide two lists of undertakings that fall within the scope of the Directive if they meet or exceed the threshold for medium-sized enterprises.
Annex I identifies the types of companies to be considered “essential entities“(e.g. companies active in energy, transport, banking, financial markets, health, drinking water, digital infrastructure, B2B ICT service management, public administration and space).
Annex II identifies the types of companies subject to the NIS2 Directive as “Important entities“(e.g. companies active in waste management, postal services, chemicals and food sectors, medical device manufacturers, digital providers and electronics manufacturers).
The NIS2 Directive also applies to certain companies regardless of their size, such as providers of public electronic communications networks or publicly available electronic communications services and providers of trust services.
Territorial reach
While the NIS2 Directive clearly defines what type of companies are subject to it, its territorial scope is rather unclear. In this context, Article 2 states that the NIS2 Directive applies to companies “that provide their services or activities within the EU.”
At first glance, this suggests that the NIS2 Directive has a strong extraterritorial reach, with the only required link to the EU being that a company provides services or carries out activities in the EU. However, to gain a more precise understanding of the territorial scope of the NIS2 Directive, Article 26 in the section on “Jurisdiction and Territoriality” should also be considered. This article clarifies that the NIS2 Directive a strong extraterritorial reach for certain types of entities and a limited extraterritorial reach for others.
The strict extraterritorial regime (Article 26(2) and (3)) applies only to certain technology companies that offer services across borders, such as DNS service providers, cloud computing service providers and providers of online marketplaces, online search engines or social networking service platforms.
For these companies, it is sufficient to provide services or activities in the EU for the NIS2 Directive to be applicable, even if they are not established in the EU. In the latter case, these companies must appoint a representative in the EU and are subject to the jurisdiction of the Member State where the representative is established.
For most other companies, the limited extraterritorial regime applies (there are specific rules for electronic communications networks/services and public administration) and means that a company is subject to the jurisdiction of the Member State where it is established (Article 26(a). Therefore, if these types of companies are not established in the EU, the NIS2 Directive does not apply to them.
Contributing author: Tiago Sérgio Cabral, Associate, Hunton Andrews Kurth