The new version of the Network and Information Systems Directive (NIS2 Directive, "NIS2") came into force on January 16, 2023. The new rules are likely to apply as of October 2024 (see the next steps section below).

Who Should Read This Legal Update

This Legal Update is relevant for Operators of Essential Services falling under the scope of the current Network and Information Systems Directive ("NIS Directive"), such as credit institutions, financial market infrastructures such as operators of trade venues, electricity and transportation undertakings, healthcare providers including hospitals and private clinics, drinking water suppliers and distributors.

This article will also interest companies that may be considered an essential or important entity under NIS2, which will broaden the number of sectors that are currently covered under the NIS Directive. For instance, in addition to the above, NIS2 will also cover certain digital services such as social media platforms and data center services, wastewater and management, food including production, processing and distribution, space including operators of ground-based infrastructure that support the provision of space-based services, manufacturing of basic pharmaceuticals and critical medical devices, postal and courier services.

Direct suppliers or service providers to entities that are in-scope of NIS2 (e.g. data storage, managed security services) might find interesting to read that, while they may not be directly being subject to NIS2, they should be prepared to undergo due diligence from in-scope NIS2 organizations, according to the new rules.

What's New

Key developments arising from NIS2 include:

  • Expanded scope: NIS2 will apply to a wider pool of sectors and entities than currently covered by the NIS Directive, as indicated above.
  • Management Liability for Cybersecurity Risk Management: "Management bodies" (in the NIS2 wording)of in-scope entities – including the Board and senior management C-Suite level – must follow cybersecurity training, assess and approve the cybersecurity risk management measures taken by those entities, supervise implementation and be accountable for non-compliance by the entities with their obligations under NIS2.
  • Cybersecurity risk management measures: NIS2 outlines key measures that in-scope entities must take to manage risks posed to the security of those entities' network and information systems when providing their service (e.g., implementing policies, procedures and security measures).
  • Supply chain diligence: In-scope entities are required to assess the cybersecurity practices of their relevant suppliers and service providers to mitigate security risks in their supplier / service provider supply chain.
  • Amended incident response requirements: NIS2 imposes notification obligations in phases, including an initial notification within 24 hours of becoming aware of certain incidents or cyber threats, as well as "intermediate" and "final" reporting obligations.
  • Amended fines and penalties: Member States may set out administrative fines of up to EUR 10M or 2% of the total worldwide turnover of an entity for the preceding financial year (whichever is higher) for breaches of NIS2 obligations by in-scope entities.

For a more detailed analysis of the points above, please refer to our legal update from October 2022.

Next Steps

Member States must adopt and publish the measures necessary to comply with NIS2 by 17 October 2024, and apply such measures from 18 October 2024. The NIS Directive will then be replaced by NIS2. Additionally, the EU Commission is to adopt implementing acts setting forth the technical and methodological requirements of the measures to be taken by essential and important entities by 17 October 2024.

At this stage, organizations should:

  • Consider whether they fall within the scope of NIS2, directly or indirectly (relevant suppliers or service providers);
  • If so, consider if any organizational, financial and technical steps that will be needed to prepare for compliance; and
  • Monitor how NIS2 is implemented in the EU jurisdictions where they operate.

As a next step, in-scope entities are advised to prepare a roadmap for implementation of compliance measures for risk management (including at Board level) and vendor due diligence. Relevant vendors of in-scope entities will need to ensure that effective, documented processes are in place to manage security risks associated with their products and services.

Originally published 28 February 2023

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.