EU law makers have endorsed new legislation that will lead to boardroom liability for cybersecurity and provides for the staged reporting of cyber incidents.

The second Network and Information Security Directive (NIS2) was formally approved by the Council of Ministers on Monday, following MEPs in voting in favour of the text. The NIS2 is likely to have effect in national legislation across the EU by early October 2024 at the latest.

Davey Stuart

Stuart Davey

Partner

Organisations may wish to make an early start on working on their NIS2 compliance programmes

NIS2 builds on the original NIS Directive which took effect in the EU in 2018. It is broader in its scope than the original directive, meaning more organisations across both the public and private sectors will be subject to cybersecurity risk management and incident reporting obligations than before.

Businesses across sectors such as energy, transport, health, and digital infrastructure, as well as waste management, chemicals, food, and manufacturers such as those in the automotive and medical device markets, are among those that will be impacted by the legislation.

Stuart Davey, cyber expert at Pinsent Masons, said: “Whilst member states have 21 months in which to implement NIS2 in their jurisdictions, organisations may wish to make an early start on working on their NIS2 compliance programmes, particularly those in sectors not previously caught by similar cybersecurity regimes.”

Organisations subject to the NIS2 regime will be obliged to “take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services”.

Specific cybersecurity measures endorsed in the legislation include policies on risk analysis and information system security, those regarding incident handling, access control policies and the use of multi-factors authentication or continuous authentication solutions. Supply chain security must also be considered, including the vulnerabilities “specific to each direct supplier and service provider” as well as “the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures”.

The precise cybersecurity measures each organisation must implement to comply with their legal obligations under NIS2 will depend on factors such as their size, exposure to risk, the likelihood of occurrence of incidents and their severity, and the availability and cost of implementing technology or international standards.

“Management bodies” must “approve the cybersecurity risk management measures taken” and oversee their implementation. Individuals in those bodies could be held personally liable if the organisation fails to comply with its cybersecurity obligations under the legislation.

New cybersecurity incident reporting rules will also apply. Any incident that has “a significant impact” on in-scope services must be notified to national computer security incident response teams (CSIRTs) or regulators.

NIS2 defines what is meant by a ‘significant’ incident – these are incidents that have caused or are capable of causing severe operational disruption of the services or financial loss for the entity concerned; or it has affected or are capable of affecting other natural or legal persons by causing considerable material or non-material damage.

A staged approach to incident notification is provided for under the directive. An “early warning”, indicating whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact, must be notified without undue delay and within 24 hours of awareness of the incident at the latest. A second report must be submitted without undue delay and in any event within 72 hours that includes an update on the initial information provided and provides an initial assessment of the incident, including its severity and impact, as well as, where available, “the indicators of compromise”.

CSIRTs or regulators can request intermediate reports, which would include “relevant status updates”. A final report must be submitted not later than one month after the second report was shared. The final report must include a detailed description of the incident, including its severity and impact; the type of threat or root cause that is likely to have triggered the incident; applied and ongoing mitigation measures; and where applicable, the cross-border impact of the incident. If the incident remains ongoing at the time the final report is otherwise due, a progress report should be submitted instead and a final report provided within a month of the issue being handled.

Davey said: “These changes represent a compromise between regulators wishing to receive early notification of organisations, in circumstances where it is not always possible to have meaningful or conclusive information about the incident within such short deadlines.”

NIS2 is expected to be published in the Official Journal of the EU (OJEU) in the coming days. It will come into force 20 days after its publication in the OJEU, and member states will have 21 months thereafter to implement the directive.

We are working towards submitting your application. Thank you for your patience. An unknown error occurred, please input and try again.