Preparing for the NIS2 Directive: A lawyer’s perspective

Q: What is the purpose of the NIS2 Directive, why is it needed and what outcomes are regulators trying to achieve? 

As its name suggests, NIS2 follows from the original EU Directive on network security, adopted in 2016. The original Directive laid down the basis for the first common cybersecurity standards among EU Member States. NIS2 recognizes the growing importance of protecting essential digital data and services. 

NIS2 aims to ensure common, high levels of cybersecurity across the EU’s networks and information systems, particularly those that provide essential services to critical sectors, such as gas and electricity distribution networks, transport networks, or banking and financial infrastructures.

Q: What key obligations does the NIS2 Directive place on businesses in scope? 

NIS2 is a Directive, which is a type of EU legislation used to set minimum standards and/or mandate an outcome. A Directive gives the Member States the freedom to reach (or exceed, should they wish to) such standards or goals in whichever way they see fit. As such, it doesn’t impose direct obligations on private operators but does set out the broad lines of the national measures that the Member States must adopt by 17 October 2024. 

For businesses in scope, the key aspect will be the implementation of the cyber security risk management measures and reporting obligations, which will require entities in scope to:

Adopt, and train management on, cybersecurity management measures, which must include, at a minimum, under Article 21 of the Directive:

• Risk analysis and information systems security policies.
• Incident handling.
• Business continuity, such as backup management and disaster recovery, and crisis management.
•   Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers’ or service providers’ security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
• Basic cyber hygiene practices and cybersecurity training.
• Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
• Human resources security, access control policies and asset management.
•   The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

Businesses must also notify the competent authorities of any significant cybersecurity incident (on this point, the Commission has recently published its draft implementing regulation setting out the criteria for “significant incidents”, which you can consult here).

Q: What should businesses expect in terms of actual requirements imposed upon them? What should businesses consider when assessing backup and disaster recovery capabilities? 

The minimum security management measures listed above are about as much detail as we can expect at this stage – we’ll have to wait until individual Member States adopt their respective implementing legislation to know more – especially since the Directive specifically allows them to impose higher standards and requirements. The European Commission has also started publishing guidelines that will provide helpful directions – for example, the first of these documents indicates that DORA (the EU Digital Operational Resilience Act, which applies to financial entities and entered into force in 2023) is of “equivalent effect” to NIS2, therefore businesses can take inspiration from the measures recommended to comply with this sector-specific regulation in preparing for compliance with NIS2.  

From a technology perspective, to achieve the critical requirements outlined in Article 21 of the Directive, I’d advise picking a solution that provides:

Q: What advice would you give businesses as they plot a path to NIS2 compliance? 

You’ll notice that I didn’t spend much time talking about the criteria to establish whether a specific business is in scope for NIS2, even though the Directive will not apply to all businesses – the point is, that you should consider your cybersecurity strategy whether NIS2 will apply to your business or not. It just makes good business sense!

I would recommend considering the specific risks applicable to your business, the likelihood that these risks will materialize, and the potential costs in such an event, be they purely monetary, or in terms of reputation, market trust, etc. 

This can then inform the specific measures you take, and there isn’t a one-size-fits-all approach here. I’d expect any cyber security strategy to include a mix of appropriate tools to help you automate and monitor backup and security requirements, and policies and procedures to limit the human risk factor and ensure there is always a plan B.