The European Union (EU) cyber security directive (NIS2). The new rules will apply to a wide range of businesses in many sectors, creating new cybersecurity obligations and imposing steep fines for non-compliance. EU countries have until October 17, 2024 to transition to the new rules. As the deadline approaches, businesses need to assess the impact on their cybersecurity strategy. This alert summarizes a company's key obligations.
EU Cybersecurity Framework
In December 2020, the European Commission announced a proposal to repeal the NIS Directive as part of its regulations. EU Cybersecurity Strategy. The aim of this strategy is to strengthen the EU's cyber resilience. Other initiatives include: i) new cybersecurity regulations for software and hardware products (see Wilson Sonsini Client Alert on Draft Cyber Resilience Act); ii) new security requirements in the financial sector (Digital Operational Resilience Act); iii) new standards to protect and harden critical entities from disruptive incidents (critical entity resilience directive);
Scope of application
NIS2 has expanded scope compared to previous NIS directives. This applies to “essential” and “essential” entities that provide services or carry out business activities within the EU. The list of types of entities that are in scope is extensive (see this) Detailed overview of NIS2 scope Published by the Belgian Cyber Security Center) includes:
- Companies active in highly important fields such as digital services such as cloud services and data center providers, airlines, banks, power distribution and transmission system operating companies, entities engaged in pharmaceutical R&D activities, and medical equipment essential in times of disaster. Manufacturers and other public health emergencies.and
- It also includes companies active in other important sectors, such as social networking platforms, manufacturers of electrical and medical equipment, and food production, processing and distribution companies.
Member States will maintain a list of essential and critical entities, subject to review at least every two years.
Summary of major new obligations
The previous NIS Directive required covered organizations to take appropriate and appropriate technical and organizational measures to protect their networks and information systems from security threats. It also mandated notification of security incidents. For more information on the NIS Directive, see Wilson Sonsini's alert. here.
NIS2 enumerates new cybersecurity measures that organizations must implement and modifies incident reporting obligations.
- Cybersecurity risk management requirements. Businesses need to implement new cybersecurity risk management measures. Such measures include, for example: i) the adoption of policies (e.g. incident handling policies, risk analysis and information system security policies); ii) Conducting cybersecurity training. iii) implementing backup management and disaster recovery processes; iv) Use encryption and multi-factor authentication where appropriate. Such measures should be proportionate to the likelihood of an incident occurring, the risks involved, and the severity of the incident's potential impact.
- Reporting obligation. Companies must notify serious incidents to a national Cyber Security Incident Response Team (CSIRT) designated by each EU member state. A “major” incident refers to a cyber-related event that i) causes or has the potential to cause significant operational disruption of the Service or financial loss for the companies involved; or ii) affects or is likely to affect any other natural or legal person by causing material or non-material loss.
NIS2 requires companies to provide an early warning within 24 hours of becoming aware of a significant incident and update within 48 hours through an incident notification with details including an impact assessment. Companies must submit a final incident report to the CSIRT within one month of filing the incident notification, specifying additional information, including a detailed description of the incident, its severity and impact, possible root causes, and mitigation measures. need to do it.
one stop shop
Certain essential and important entities established in more than one EU country (e.g. cloud computing service providers, data center service providers, certain digital providers) will benefit from the one-stop shop mechanism. These companies typically only need to comply with the laws of the country of their principal business, rather than being subject to requirements that apply in multiple jurisdictions. The European Union Cybersecurity Agency (ENISA) maintains a confidential register of these organizations.
sanctions
Companies that violate reporting or cybersecurity risk management obligations may be subject to the following fines: i) Significant entities: up to EUR 10,000,000 or 2.0% of worldwide annual turnover (whichever is greater). ii) Significant entities: up to EUR 7,000,000 or 1.4% of worldwide annual turnover (whichever is greater).
next step
EU Member States have until 17 October 2024 to transpose NIS2 into national law, with national law applicable from 18 October 2024. Requirements may vary between EU member states, as they may adopt or maintain different provisions to ensure a higher level of safety. cyber security. The UK government has also announced that it will introduce similar obligations in an update to its NIS regulations.1 Businesses should carefully assess local requirements within their jurisdiction and adapt their cybersecurity strategies as necessary.
For more information please contact us cedric barton Laura De Boel, or another member of the company Privacy and Cybersecurity Practice.
Laura Brodahl carol ebrard Joanna Juzak matthew nooding Sebastian Thess and Hattie Watson contributed to the preparation of this Wilson Sonsini Alert.
[1]Cyber laws updated to make UK more resilient to online attacks, UK Government, Press Release (30 November 2022): https://www.gov.uk/government/news/cyber-laws-updated- to-boost-uks-resilience – against online attacks.
