The business implications of the NIS2 Directive
Jeremiasz Kuśmierz
by Jeremiasz Kuśmierz
The NIS2 directive will be implemented by autumn 2024 and, building on the NIS1 directive, is a notable advancement in the European Union’s approach to cybersecurity. The primary goal of NIS2 is to harmonise interpretations of cybersecurity risk management and reporting obligations. It mandates EU members to implement national cybersecurity strategies and set up suitable supervisory bodies. However, how will this impact private business, and which organisations must brace themselves for new obligations?
Size
Under the current cybersecurity model, EU members have the authority to determine which entities qualify as operators of essential services. NIS2 not only broadens the list of sensitive sectors but also introduces a uniform size cap to identify the entities within its purview, targeting medium-sized and larger enterprises operating in relevant sectors. EU states will be able to make certain exceptions to this general rule, allowing them to both include or disregard entities depending on the importance of their operations within sensitive sectors.
Sectors
According to the directive, these sectors are divided into two. The first category covered by Annex I expands on strategic sectors covered by NIS1 (energy, transport, financial institution, healthcare, ICT). The groundbreaking difference with NIS2 is the newly added category of Annex II sectors encompassing a wide range of industries such as waste management, chemicals, food production, and various types of manufacturing.
Essential or important
In principle, large enterprises operating in Annex I will be classified as essential, while those medium-sized and/or active entities in Annex II will be considered important. This differentiation leads to the establishment of varied supervisory regimes for essential and important entities, striking a balance between the need for oversight and added administrative burdens on entities and authorities. Essential entities are subject to more comprehensive supervision, whereas important entities face a lighter scrutiny, based on ex post evaluation in the event of incidents.
Supply chain
The reach of NIS2 extends beyond essential and important entities directly affected by its provisions. It emphasises the importance of cybersecurity resilience throughout the supply chain. As a result, entities not directly governed by NIS2 may find themselves subject to new cybersecurity obligations through contractual agreements with partners compliant with NIS2.
Implementation
NIS2 only establishes a foundational framework of rules; the specifics will be determined by each member state. Given the extensive applicability of these new cybersecurity regulations, businesses and their advisors should monitor governmental proposals concerning NIS2 implementation and the measures to be adopted in each country.
GGI member firmPenterisWarsaw, PolandT: +48 22 257 83 00
Law Firm Services
Penteris is a European law firm committed to keeping clients ahead of the market with a mantra of “building long-term relationships”.
Jeremiasz Kuśmierz is focused on new tech and believes it to be the foundation of future business. His global outlook is highlighted by his participation in multinational deals involving China and Europe. He spreads his work across compliance, employment, dispute resolution, and risk management. Contact Jeremiasz.