On 16 January 2023, the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) came into force, reforming and expanding existing European cybersecurity legislation. It aims to strengthen Europe against current and new challenges in the field of cybersecurity and to protect the interference-free operation of network and information systems. For the financial sector, the Digital Operational Resilience Act as a lex specialis contains even stricter regulations compared to the NIS 2 Directive (KWR also reported on this: New IT security requirements for outsourcing in the financial sector).
The impetus for the NIS 2 Directive came from a review by the European Commission of the NIS 1 Directive, which came into force in 2016 (and was implemented in Austria in the NIS Act). The review revealed that national legislation to transpose EU law was characterised by marked divergences, ranging from the defined obligations in relation to security and the reporting of security incidents to the scope of application itself. These divergences led to insufficient coordination and response capacity on the part of the Member States.
Who will be affected by the new requirements under the NIS 2 Directive?
The scope of the NIS 2 Directive (Art 2 (1)) covers
- public or private organisations of the type listed in Annex I (Sectors of high criticality) or Annex II (Other critical sectors)
- which qualify as medium-sized enterprises according to EU Commission Recommendation 2003/361, and
- provide their services in the European Union.
Member States may also include certain entities in the scope of the NIS 2 Directive irrespective of whether they are classified as medium-sized enterprises.
Annex I covers 11 particularly critical sectors, Annex II includes 7 critical sectors*:
Appendix I Sectors with high criticality | Appendix II Other critical sectors |
|
|
*) The number of sectors covered by the NIS-1 Directive is increased from the original 8 to 16 sectors (marked as "new" in the table). The most significant new feature is that manufacturing industries (chemicals and food) are also included in the scope of application.
- Essential and important entities: new compliance requirements
The NIS 2 Directive distinguishes between essential and important organisations: Essential entities include all those in the sector with high criticality which are medium-sized companies or, for example, qualified trust service providers, top-level domain registries and DNS service providers. By contrast, all organisations which are not essential but fall under one of the (sub)sectors in Annexes I and II and are considered medium-sized companies are classified as important entities.
Significant and important entities must take appropriate, proportionate and effective technical, operational and organisational measures to protect the network and information security of the services they provide, to prevent disruptions and minimise the impact of security incidents. These measures must at least cover the following areas:
- Risk analysis and security for information systems;
- Management of security incidents;
- Backup and crisis management;
- Supply chain security (security-related aspects arising between the individual entities and their direct service providers);
- Security measures for the acquisition, development and maintenance of network and information systems (incl. vulnerability management);
- Evaluation of the effectiveness of cybersecurity risk management measures;
- Cybersecurity training;
- Cryptography and encryption,
- Personnel security, access control and asset management, as well as
- Multi-factor authentication or continuous authentication, secure voice, video and text communication and secure emergency communication systems within the entity.
- What are the reporting obligations to be complied with?
Essential and important entities must also report security incidents to the competent authority (i.e. the Strategic NIS Authority, which is based at the Federal Chancellery under the NIS 1 Directive) according to a three-stage reporting system:
- Initial notification without undue delay, and within 24 hours at the latest;
- Update and first assessment of the security incident after 72 hours at the latest;
- Final report after one month at the latest;
- In the case of ongoing security incidents, a progress report is required after every further month.
- Stricter penalties and accountability of management bodies
For breaches of the NIS 2 Directive, fines of up to 10 million euros or 2% of global annual turnover are foreseen for essential entities while important entities may face fines of up to 7 million euros or 1.4% of global annual turnover.
The NIS 2 Directive also stipulates that the management bodies of enterprisesmust ensure and monitor the implementation of and compliance with the risk management measures and can be held responsible in the event that the Directive's requirements are breached. Thus, now is the latest point of time when cybersecurity mustbe a"top priority" in enterprises.
Outlook
The new requirements of the NIS 2 Directive must be transposed into national law by the Member States by 17 October 2024; the same applies to the Critical Entities Resilience Directive (CER Directive). Austrian draft legislation is already eagerly awaited; in particular, there is great interest in the Austrian legislators’ take on the term "management body", the implementation of the sanctions regime and the entities to fall within the scope of the NIS 2 Directive regardless of their classification as medium-sized enterprises. Our New Technologies and IP Teams will keep you up to date in this respect and will be happy to advise you on the implementation of the requirements enshrined in the NIS 2Directive.