NIS2 – New EU Cybersecurity Framework

The new NIS2 directive, replacing the current NIS directive, has now been adopted by the EU Parliament imposing strengthened cybersecurity requirements on a much wider scope of entities and sectors. EU Member States have 21 months to incorporate the provisions into their national law and the new rules are therefore expected to enter into force by Autumn 2024.

NIS2 applies to more entities, sectors and services. Entities covered by NIS2 are divided into two categories: essential and important entities, depending on the sector in which the entity operates.

From an overall perspective, the same rules will apply to both essential and important entities and the main difference is the supervision regime.

It is important to note that NIS2 may indirectly apply to direct suppliers and service providers to the essential and important entities through flowing down NIS2 requirements on a contractual basis.

NIS2 specifies minimum cybersecurity risk management measures relating to e.g., authentication and communications systems, supply chain security, incident handling and reporting, trainings, etc. Entities not complying with the requirements set forth in the NIS2 may be subject to severe legal consequences, e.g., certification or authorization suspension, significant administrative fines up to the higher of 10 000 000 EUR or 2 % of the total worldwide annual turnover for the group for essential entities, and the higher of 7 000 000 EUR or 1,4 % turnover for important entities. In certain cases, personal liability may be incurred by the management members of non-compliant entities.

Setterwalls’ recommendations:

1. Assess whether your (group) company may be classified as an essential or important entity and thus directly subject to the NIS2.
2. At management board level in each company directly covered by NIS2, (i) oversee the powers of management in decision making and appoint a cybersecurity officer, (ii) ensure the plans for business continuity and crisis management, and (iii) prepare for training on cybersecurity related topics.
3. At a technical level, oversee and adapt security in network and information systems.
4. Establish or update relevant cybersecurity policies and procedures.
5. Identify and manage security risks in the supply chain on a case-by-case basis and make sure to flow down NIS2 requirements in the contract with your suppliers.
6. Implement or adapt reporting and notification process in case of an incident or cybersecurity threat.

Interested in knowing more about NIS2? Setterwalls have the experience and competence to lead you on the way to compliance. For further information, do not hesitate to contact our dedicated cybersecurity team.