IT and data

Implementation deadline for NIS2 and new EU cybersecurity compliance regime draws nearer

Published on 6th Aug 2024

What should organisations do to prepare for the revised directive's national implementation deadline in two months' time?

Green code on smartphone and laptop screens

The revised Network and Information Systems Directive, or NIS2, which entered into force on 16 January 2023 and replaced the Network and Information Systems Directive (NIS1), aims to eliminate divergences in implementing the repealed NIS1.

It represents a significant step forward in bolstering cybersecurity resilience across the EU. With its broader scope, risk-based approach and emphasis on supply chain security, NIS2 acknowledges the evolving threat and the critical role of essential services and digital infrastructure.

A 21-month implementation period for NIS2 to be incorporated into national legislation started on 16 January 2023. EU Member States have until 17 October 2024 to transpose the directive into their national laws. Businesses will need to understand the implementation regimes that have been enacted in order to ensure compliance. Our earlier Insight looked at where the Member States had got to by the end of last year – what progress has been made since?

The Netherlands

In the Netherlands, NIS2 will be implemented into the Cybersecurity Act (Cyberbeveiligingswet), which will replace the current Dutch Network and Information Systems Security Act (Wet beveiliging netwerk- en informatiesystemen).

In May 2024, a draft implementation act of NIS2 became available in the Netherlands. The draft act is largely the same as the NIS2 Directive itself, and, for example, does not include information on the categories of essential and important entities other than the information that has been provided in NIS2.

After publication of the draft act, a consultation period followed from 24 May until 2 July 2024. This allowed citizens, organisations, and government institutions to comment on the draft and suggest possible improvements. A total of 112 comments were received, the majority of which were submitted by companies likely to be affected by NIS2.

Following this consultation phase, the Dutch government will evaluate if and how the draft act should be revised and whether the explanatory notes to the act should be amended. It is not clear yet when the final version of the Cybersecurity Act will be published, but the government has already indicated that it will not meet the implementation deadline of 17 October 2024.

In addition, the government published a tool on its website, allowing organisations to determine whether NIS2 applies to their organisation, their organisation is an ''essential'' or ''important'' entity, and whether their organisation falls under Dutch supervision.

The tool also provides information on each category of sectors, subsectors and entities to which NIS2 may apply. Although most information included in the tool is already set out in the annexes of NIS2, it does provide some additional information that may be useful to determine if and how NIS2 will impact an organisation.

The Dutch government advises organisations to start implementing measures relating to cybersecurity and NIS2 already.

Germany

On 24 June, the Federal Cabinet adopted the official draft of the German NIS2 Implementation Act. This Implementation Act draft includes changes to several German legal acts.

At its centre are new versions of the Act on the Federal Office for Information Security – the BSI Act – and several administrative regulations (Verordnungen) that further specify the BSI Act (the administrative regulations and BSI Act already serve to implement the NIS1 guideline).

Judging from the current Implementation Act draft, it seems that the German lawmaker will choose to implement NIS2 stricter than the guidelines themselves require (that is, beyond minimum harmonisation).

Germany will widen the scope of regulated entities as compared to NIS2. So far, Germany has identified NIS1-regulated entities based on whether they supply around 500,000 people in Germany with “critical” services. It regulated more entities than required under NIS1.

With NIS2, some of those formerly regulated entities in Germany could theoretically fall out of the regulation. However, the current German drafts introduce a third category additional to the “essential” and “important” entities regulated under NIS2. In this category, the drafts plan to continue regulating former “critical infrastructures”. More entities would fall into the scope of IT-security obligations in Germany than the NIS2-scope requires.

The current drafts enable the Ministry of the Interior to require mandatory cybersecurity certifications for certain services or products. NIS2 only enables, but does not require Member States to introduce mandatory certifications.

The German implementation will contain a requirement for the third category of entities (“critical facilities”) to provide the Federal Office on Information Security with suitable evidence of its appropriate technical and organisational IT security measures every three years.

While the adoption of the official draft is a significant milestone in the legislative process, it is still uncertain whether the Implementation Act will enter into force before the NIS2 implementation deadline of 17 October 2024. This is because it still needs to pass through the German Federal Parliament, which can be a lengthy process. Even after the Implementation Act is passed, the BSI Act will remain abstract. The Ministry of the Interior will have to specify important details of the new BSI Act, such as the definition of “critical facilities” and a list of the products that need certification, in several administrative regulations (Verordnungen).

France

The French National Agency for the Security of Information Systems (ANSSI) is in charge of NIS2 in France.

The ANSSI has launched a website dedicated to NIS2 where companies can find useful information on the transposition and how to prepare. According to the ANSSI's 2023 Cyberthreat Panorama of 27 February 2024, the directive’s transposition into national law will have to be coordinated with other measures such as the European RCE (Directive (EU) 2022/2557 of 14 December 2022 on the resilience of critical entities) and DORA (Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector) legislation.

In early 2024, the ANSSI has also started working with stakeholders on the "co-construction" concerning the implementation of security measures and the aim is to provide the parliament with a draft transposition bill as early as possible in 2024 to meet the transposition deadline (there is no further development on this at this time).

Italy

On 10 June 2024, the government approved the draft of the Legislative Decree implementing the NIS2 (the "Draft Decree"). To ensure consistency with the national regulatory framework on cybersecurity and to promote proportionate implementation, the Draft Decree, among other things:

  • expands the catalogue of definitions in article 6 of NIS2;
  • establishes mechanisms for registration of "important" or "essential" entities through an online digital platform;
  • provides for the option to derogate from the new framework for groups of enterprises as defined in Commission Recommendation 2003/361/EC;
  • extends the scope of the new framework to public administrations, also irrespective of their size, included in the categories listed in Annex III of the Draft Decree;
  • extends the application of the new framework also to certain local public transport entities and in-house companies, investee companies and publicly controlled companies, listed in Annex IV of the Draft Decree;
  • provides some coordination between the sanctioning powers of the NIS Authority and the local data protection supervisory authority;
  • provides for sanctions also against public administration entities but the amounts are significantly lower than those provided against private entities;
  • introduces a transitional regime for entities already subject to Legislative Decree No. 65/2018, which will be repealed and that implemented the NIS Directive.

The Draft Decree is now undergoing parliamentary scrutiny.

Spain

Despite the approaching deadline for the implementation of the NIS2, Spain has hardly progressed in this regard. Efforts undertaken by various working groups throughout 2023 and the public consultation launched in September 2023 and lasting for almost one month have not resulted in a concrete legislative draft bill for its implementation. However, the Spanish Ministry of Interior has been recently requested to expedite the process considering the impending deadline.

Poland

In Poland, legislative work has been carried out to implement NIS2, as the draft amendment to the National Cybersecurity System Act has been published. The draft is pending the opinion stage, which started at the beginning of April 2024.

The amendment considers some of the requirements and solutions introduced in NIS2, for example, it introduces a new division of the entities covered by its provisions. The previous separation into key service operators and digital service providers gives way to a division into key and important entities. Under the new legislation, compliance with the ISO/IEC 27001 and ISO/IEC 22301 standards will be considered sufficient to meet the regulatory requirements for information security systems under NIS2. The draft amendment also proposes a new system of administrative penalties and new powers for supervisors, such as the ability to issue a protective order.

The adoption is scheduled for no later than 17 October 2024, but a postponement cannot be ruled out.

Belgium

On 18 April 2024, the Belgian Parliament approved the law which establishes a framework for the cybersecurity of network and information systems of general interest for public security, thereby transposing the NIS2 Directive into Belgian law (referred to as the "NIS2 Law"). Here is a brief overview of how Belgium has approached the implementation of the NIS2 Directive:

  • Belgium has decided to take advantage of the possibility to extend the list of entities subject to the NIS2 requirements. In fact, the NIS2 Law provides for the possibility to extend the list of entities subject to the NIS2 obligations by possibly including additional sectors and sub-sectors; as well as the extension of the existing list by royal decree. In addition, specific entities may be added upon decision of the Belgian regulator.
  • Belgium has extended the list of risk management measures and information obligations. As a result, entities subject to the Belgian NIS2 Law will be required to take new risk management measures and comply with additional information obligations for the purpose of establishing a solid security policy. To ensure compliance, the relevant authority must be identified, important entities are entitled to carry out a pre-assessment (which is mandatory for essential entities) on a voluntary basis and administrative actions as well as fines could be considered.

The Royal Decree (of 9 June 2024) has now been adopted, providing further details on the implementation of the NIS2 Law. This decree specifies the additional sectors and sub-sectors that are included under the NIS2 obligations and outlines the specific risk management measures and information obligations that must be adhered to by the entities. It also specifically designates the Centre for Cybersecurity Belgium (CCB) as the national cybersecurity authority for Belgium.

Sweden

Sweden converted the NIS1 into its own legislation in 2018 through "Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster". NIS2 is in the process of being implemented into Swedish legislation.

On 5 March 2024, the interim report for implementing NIS 2 into Swedish legislation (SOU 2024:18) was presented, proposing a new Cybersecurity Act intended to replace Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster. The Act expands its scope significantly, now including sectors such as energy, transport and healthcare, and mandates entities operating in these areas to adopt comprehensive risk management measures, including cybersecurity protocols and data encryption.

This expansion also requires a higher awareness of cybersecurity among senior management and mandates incident reporting to Sweden's national Computer Security Incident Response Team (CSIRT). Supervisory authorities will see an increase in their oversight and sanctioning capabilities, with administrative penalties modelled after the GDPR's framework. The law is scheduled to take effect on 1 January 2025.

The final report is scheduled to be submitted to the Swedish government by 16 September 2024. Sweden will have until 17 October 2024 to transpose NIS2 into national legislation.

How NIS2 builds on NIS1

NIS2 introduces important changes and improvements to NIS1. It is broader in scope and has a risk-based approach. It emphasises supply-chain security and introduces stricter incident reporting and management liability for failing to comply with cybersecurity requirements under NIS2. It also strengthens national regulatory oversight.

For more detail about what businesses should know about the NIS2 regime (including to which businesses it applies and the extent of personal liability for managers under the new regime), see our earlier Insight.

Implementing regulation on incident reporting

Stricter incident reporting requirements for NIS2 include mandating shorter deadlines for serious incidents to be reported to competent authorities to ensure a swift response to cyber threats.

Entities must report all significant cybersecurity incidents to the designated national computer security incident response team or to the competent national authority (depending on how this is arranged under the national implementation acts).

On 27 June 2024, the European Commission published a draft implementing regulation on technical and methodological requirements and significant incidents as set out in NIS2. To obtain feedback on the draft from parties concerned, a consultation period opened from 27 June until 25 July 2024. The European Commission will take the feedback into consideration when finalising the implementing regulation, in respect of which adoption is planned for the third quarter of 2024.

The draft pertains to entities within the digital infrastructure sector, ICT service management and digital service providers. It sets out the criteria with which can be assessed whether an incident will be deemed ''significant''. This is the case if, among others, the incident:

  • Leads to the exfiltration of trade secrets.
  • Causes or is capable of causing financial loss exceeding €100,000 or 5% of the relevant entity's turnover.
  • Leads to the complete unavailability of a data centre service for any period of time.
  • Causes ''considerable reputational damage'', considering factors such as media reporting of the incident and the likelihood of losing customers with a material impact on the business or failing to meet regulatory requirements as a result.

What steps can businesses take?

NIS2 compliance will not only be mandatory but also essential to mitigate cybersecurity risks effectively. The implementation process into national legislation is ongoing, but governments across the EU have advised businesses to take preparatory measures. Below is a suggested checklist for compliance measures that can be taken.

  • Risk assessment. Conduct thorough risks assessments to identify vulnerabilities and threats specific to the organisation and draft and implement risk management strategies tailored to their business. Risk assessments should take into account digital risks that could disrupt business continuity, the interests that are most important to the business and measures already taken to protect those interests.
  • Incident response plan. Develop a robust incident response plan that outlines procedures for detecting, reporting, and mitigating cybersecurity incidents promptly.
  • Supply chain security. Evaluate the cybersecurity practices of suppliers and partners. Consider how to ensure that these meet the required security standards; for example, by amending current contracts, adding new cybersecurity related provisions in template agreements and implementing procedures for regular checks and audits). Consider diversifying supply chain to reduce single points of failure.
  • Security by design. Incorporate cybersecurity into the design and development of products and services. Implement security controls at every stage of the product lifecycle.
  • Employee training. Develop and implement training sessions for employees on cybersecurity best practices and create a culture of security awareness within the organisation.
  • Regulatory compliance. Keep abreast of developments regarding NIS2 and closely monitor draft NIS2 implementation acts. Where relevant and possible, businesses may want to provide input on those draft acts during consultation periods.

The draft implementing regulation on technical and methodological requirements and significant incidents that was published on 27 June 2024 sets out more specific cybersecurity risk management measures that must be implemented by covered entities. These include:

  • Insider threat and access controls.
  • Supply chain contracts.
  • Monitoring and logging.
  • Identification of ''crown jewel'' assets.

Osborne Clarke comment

Member States must transpose the NIS2 into local laws by 17 October 2024. This date is rapidly approaching, and most Member States are taking steps to legislate implementation acts and issuing related guidance. However, since many Member States are behind schedule in transposing the directive, it is likely that some will not meet the transposition deadline.

Organisations that foresee or suspect they fall under the scope of NIS2 or that consider cybersecurity of utmost importance to their business would be wise to prepare well in advance. By conducting risk assessments, developing incident response plans and fostering a culture of cybersecurity awareness, organisations will be well on their way to meeting the new obligations.

Elena Rossi, Trainee Solicitor at Osborne Clarke, contributed to this Insight.

If you have any questions regarding the NIS2, such as whether and how it will apply to your organisation, or if you would like us to keep you updated on new developments regarding NIS2, please contact one of our experts.

Share

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?