NIS2 Directive

Directive 2022/2555 on measures for a high common level of cybersecurity

Category

Status

EU

Date of application is 18 October 2024.

EEA

Pending. The Commission has marked the proposal as EEA-relevant.

Scope

Operators of essential and important services within several sectors such as energy, transport, wastewater, food, research, IT (managed service providers and managed security service providers), public administration and postal and courier services. The margin of manoeuvre for member states in identifying entities subject to the Directive is reduced compared with the NIS 1 Directive.

Micro- and small enterprises (less than 50 employees and annual turnover below 10MEUR) are as a starting point not subject to the Directive. Such enterprises may still be encompassed, e.g. if they are considered to have a key role in society, the economy or a certain sector (e.g., sole supplier to an EU country, or entities operating a particularly vulnerable business).

The distinction between essential and important services is only relevant for the supervisory regime (ex-ante supervision for essential services, and ex-post supervision for important services).

Relevance

NIS 2 not only addresses the challenges and limitations of NIS 1 but also introduces enhanced measures to ensure a unified and robust cybersecurity framework across Europe.

Implementation in Norway will likely be done through amendments to the Digital Security Act.

Key obligations

Like under the NIS 1 Directive, entities in scope are required to conduct a risk assessment and implement security measures appropriate to the risk. However, the NIS 2 Directive imposes a broad range of minimum measures, including: i) business continuity; ii) supply chain security; iii) policies and procedures to assess the effectiveness of cybersecurity risk-management measures; basic cyber hygiene practices and training; iv) policies and procedures regarding use of cryptography; and v) human resources security.

The Directive further enhances the notification regime for cybersecurity incidents, through a three-step model where an early warning and initial information must be provided within 24 hours, an initial assessment of the incident within 72 hours, and a detailed report with identified root cause and mitigation measures within one month.

Supervisory authorities are given broad powers to supervise and impose sanctions, e.g. trough on-site inspections, security scans, requests for evidence of implementation of policies, and binding instructions. Further, the regime for regulatory fines is harmonized, meaning the maximum fine must be at least EUR 10 million or 2% of the total global annual turnover of the business, whichever is higher for essential service providers. For important service providers, the maximum fine must be at least EUR 7 million or 1.4% of the total global annual turnover.