The NIS 2 Directive (“NIS2”) entered into force on 16 January 2023, with the aim of creating a higher common level of cybersecurity in the European Union (“EU”). NIS2 repeals the NIS Directive (“NIS”), which we wrote about here. Member states will have 21 months (until 17 October 2024) to incorporate NIS2 into national law.

How does NIS2 differ from NIS?

NIS2 aims to remedy the inadequacies of NIS, namely the inconsistency between member states in relation to cybersecurity requirements and implementation of measures. The new Directive is wider in scope and builds upon NIS to create a more harmonised and robust approach to cybersecurity measures, reporting obligations and enforcement with the goal of increased collaboration and more efficient crisis management.

Some of the main changes brought about by NIS2 include:

• Extension of the scope of applicability to include sectors such as telecommunications, social media platforms, the food sector and public administration. The scope of NIS2 will also cover subcontractors with access to vital infrastructure to acknowledge the fact that threats to infrastructure can have significant consequences which may compromise the security of an entire organisation (for example the attack on the NHS 111 service in August 2022). 
• Introduction of a size-cap meaning medium-to-large- sized entities (over 50 employees and annual turnover over €10 million) within the relevant sectors will be subject to NIS2.
• Strengthening and streamlining cybersecurity risk management measures. Under NIS2 organisations must comply with a new set of measures which include risk analysis and information system security policies, business continuity and crisis management, supply chain security and use of cryptography and encryption of data.
• Introduction of more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States. For example initial notifications of threats must be made within 24 hours after becoming aware of an incident and further updates must be made within 72 hours.
• Increase in sanctions of up to max. 10 million EURO or 2% of total annual global turnover (reflects level of GDPR fines).
• Establishment of the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, a central body which will support, coordinate and manage large-scale EU-wide cybersecurity incidents.

What does this mean for businesses?

Cybersecurity has been high on the agenda as a priority for the EU in light of increased threats to businesses and it continues to pose significant challenges as the technological landscape develops rapidly. The introduction of NIS2 indicates that the risk of cyber threats will continue to dominate the agenda but also highlights the proactive approach to and the recognition by the EU of significant developments since NIS was first introduced in 2016.

Relevance for UK businesses

Although the UK is no longer part of the EU (meaning that NIS2 does not directly apply), many businesses operate within the EU, which will require them to comply with NIS2 in order to maintain the same level of security standards as other member states.

Looking to the future, it is also likely that, as with the data protection landscape, regulators in the UK will seek to introduce similar requirements to those in the EU as cybersecurity is global issue. This has already been demonstrated by the Government’s proposals to improve the UK’s cyber resilience which suggest that many of the proposed changes (widening the scope of regulation and increasing incident reporting requirements) will be similar to those in NIS2. Therefore, proactivity of businesses at an early stage when it comes to cybersecurity will be of significant value to in order to stay competitive and to ensure sufficient protection against cyber threats. 

If you would like to discuss the impact of the upcoming changes, please get in touch with David Varney or another member of the Data Protection and Cyber Security team.