GUBERNA: what does NIS2 mean for board directors and executives?

What does NIS2 stand For?

NIS2 stands for “Network and Information Security Directive” and is a continuation and expansion of the previous EU cybersecurity directive, NIS1.

 

NIS: EU’s First Cybersecurity Law

The Network and Information Systems Directive (NIS) was introduced in 2016 as the first European legislation on cybersecurity. Its primary objective was to increase the cyber resilience of EU Member States by identifying essential service operators in the Union and enforce cybersecurity measures, with incident reporting being a central requirement.

Why was NIS revised?

It became clear that the implementation of the Directive varied greatly between Member States. This inconsistent implementation led to a fragmented system where some companies and organisations were considered essential in some countries, but not in others. So the European Commission decided to revise the NIS Directive to clearly define the organisations covered and their specific requirements, a plan that came into fruition in 2021 in the form of the Network and Information Security Directive (NIS2).

Why is NIS2 an improvement?

The aim of NIS2 is to strengthen the collective cybersecurity level of EU member states by increasing cybersecurity enforcement requirements for critical infrastructure sectors. The directive will manifest as national law, which means that each organisation encompassed by the directive will be required to live up to its requirements. NIS2 expands its EU-wide cybersecurity requirements and sanctions to harmonise and streamline the security level across all EU member states, and stricter requirements mean that your organisation now has to lay out clear plans for how to perform risk management, control and oversight.

In addition, NIS2 also strengthens requirements for cybersecurity enforcement, including early mandatory incident reporting, widened risk management and a newly defined designation of C-level cybersecurity responsibility.

 

Is your organisation affected by NIS2?

NIS2 expands the number of covered sectors from 7 to a total of 15 and distinguishes between “essential companies” and “important companies”

1

Essential companies:

  1. Digital infrastructure– Domain Name Service provider, trust services, data center services, cloud computing, communication services, managed service providers and managed security providers. 
  2. Drinking & waste water 
  3. Energy - supply, distribution, transmission and sales 
  4. Finance - credit, trade, market and infrastructure 
  5. Health – research, production, providers and manufacturers 
  6. Public administration, municipalities and regions 
  7. Space – software and services
  8. Transport - aerial, rail, road and sea 

Important companies:

  1. Chemical products – production and distribution 
  2. Digital providers of online marketplaces, search engines, social platforms 
  3. Foods - production and distribution 
  4. Postal and parcel service
  5. Production of pharmaceutical, electronic and optical equipment and machinery and vehicles
  6. Research
  7. Waste management 

 

Remark that also suppliers deemed critical to the organisations should follow the same NIS2 requirements in the context of supply chain risk management. This decision has to be made by each organisation.

 

What happens if your organisation does not comply with NIS2?

A/ Non-monetary remedies
NIS2 gives national supervisory authorities the authority to enforce non-monetary remedies, including:

  1. Compliance orders
  2. Binding instructions
  3. Cybersecurity audit implementation orders
  4. Threat notification orders to all customers of the organisation.

B/ Administrative fines
With regard to administrative fines, the NIS2 directive carefully distinguishes between essential and important companies:

  1. For essential entities: a fine of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.
  2. For important entities: a fine of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher.

 

C/ Sanctions for board directors
NIS2 allows Member State authorities to hold board directors and executives personally liable and responsible if gross negligence is proven after a cyber incident. This includes:

  1. Ordering that organisations make compliance violations public.
  2. Making public statements identifying the natural and legal person(s) responsible for the violation and its nature.
  3. If the organisation is an essential entity, temporarily ban an individual from holding management positions in case of repeated violations.

What requirements does NIS2 place on your organisation?

Depending on the size of the business, the societal function, and how exposed the organisation is, the level of requirements varies. This is to ensure that the requirements remain proportionate, so that smaller businesses are not disproportionately affected, and that the requirements for larger businesses reflect their role in society. The NIS2 Directive adds new requirements for four primary areas of your organisation in order to withstand current and future cyberthreats:

  1. Corporate Accountability: Directors must oversee, approve and be trained on the organisation’s cybersecurity measures and must address cyber risks. Cybersecurity breaches may result in board director liability and a potential temporary ban from board director roles in Europe.
  2. Reporting Obligations: Essential and important entities must have processes in place for prompt reporting of cybersecurity incidents with significant impact on their service provision or recipients. NIS2 sets specific notification deadlines, such as a 24-hour “early warning”.
  3. Risk Management: Directors have a direct responsibility to identify and address cyber risks to comply with the requirements. These measures include cybersecurity incident management, stronger supply chain security, enhanced network security, better access control and encryption.
  4. Business Continuity: Directors must plan for how they intend to ensure business continuity in the case of major cybersecurity incidents. This plan should include considerations about system recovery, emergency procedures and setting up a crisis response team.
1

In conclusion

The EU NIS2 Directive represents a critical step in strengthening the cybersecurity framework across the EU. For board directors and executives, this means adapting to a more rigorous regulatory environment by integrating a cybersecurity strategy into their core business processes.

It is crucial for board directors and executives to take the necessary steps to understand the implications of the NIS2 Directive for their organisations such as: engage in cybersecurity governance, foster a culture of cybersecurity awareness, and collaborate with experts to ensure compliance and resilience against cyber threats. By understanding and implementing the necessary NIS2 requirements, board directors and executives can help secure their organisation against increasing cyber threats while aligning with EU-wide efforts to enhance digital infrastructure security.

For more detailed information about NIS2, we refer to this excellent authentic source: www.cyfun.be

Which seven steps can board directors and executives take to ensure NIS2 compliance?

Board directors and executives can take specific steps to ensure their organisations comply with the NIS2 Directive:

  1. UNDERSTAND THE SCOPE OF NIS2:
    Board directors and executives should first ensure they fully understand the NIS2 requirements and how they apply to their organisation. This involves identifying whether the organisation falls under the directive and comprehending the specific obligations that come with this classification.
  2. PERFORM / UPDATE CYBERSECURITY RISK ASSESSMENT AND FOLLOW UP:
    Board directors and executives should conduct thorough cybersecurity risk assessments to identify vulnerabilities and potential threats. This step is crucial for understanding the organisation’s specific security needs and complying with the NIS2 requirement to manage and mitigate cybersecurity risks effectively.
  3. REVIEW / UPDATE CYBERSECURITY POLICY:
    Board directors and executives must ensure that existing cybersecurity policy is reviewed and/or updated to align with the NIS2 requirements. This policy should cover system security, incident response, data protection, and recovery plans.
  4. REVIEW / UPDATE CYBERSECURITY INCIDENT RESPONSE PLAN:
    Board directors and executives should develop and maintain an effective cybersecurity incident response plan as required by NIS2. This plan should enable the organisation to detect, report, and respond promptly to cybersecurity incidents and breaches.
  5. REVIEW / UPDATE REGULAR CYBERSECURITY TRAINING AND AWARENESS PROGRAMME:
    Board directors and executives must ensure that all staff, including board directors and executives themselves, know about all relevant cybersecurity issues and understand their roles in maintaining cybersecurity. A proper cybersecurity training programme must exist and be maintained to keep all persons regularly updated on the latest cybersecurity practices and NIS2 compliance requirements.
  6. REVIEW / UPDATE REGULAR CYBERSECURITY REPORTING AND DOCUMENTATION:
    Board directors and executives must establish procedures for documenting and reporting cybersecurity incidents as required by NIS2. This includes timely notification to the relevant national authorities and, where applicable, to the affected stakeholders.
  7. REVIEW NIS2 COMPLIANCE AUDITS:
    Board directors and executives must have regular audits performed on cybersecurity measures and compliance practices with follow-up to ensure ongoing adherence to NIS2 requirements. These audits can be internal or involve third-party experts to objectively view the organisation’s compliance status.