The importance of the NIS2 Directive and the potential challenges it entails

DIRECTIVE (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148

Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union

Preamble (4) and (5) of NIS2, Article 4 of NIS2 (Sector-specific Union legal acts)

Preamble (2) of NIS2

Dragomir, A.V., 2021. What's New in the NIS 2 Directive Proposal Compared to the Old NIS Directive. SEA: Practical Application of Science, 9(27), page 156, available at: https://seaopenresearch.eu/Journals/articles/SPAS_27_1.pdf (date of access: 23 May 2024)

The essential and important entities and services are defined in Article 3 of NIS2

These sectors above underline those that will be under the most stringent supervision of the Directive

KPMG, Levelling-up your IT and OT security capabilities in light of the NIS2, August 2023, Page 5, available at: https://assets.kpmg.com/content/dam/kpmg/kr/pdf/2023/kpmg-eu-nis2-report.pdf (date of access: 23 May 2024)

In the previous version of NIS notification was also obligatory, but the new version underpins this obligation with a personal liability of top management as well as officials in response for cybersecurity measures with fines for non-compliance, so in updated version of NIS this reporting obligation shall become a real instrument

See for example Schmitz-Berndt, S., 2023. Defining the reporting threshold for a cybersecurity incident under the NIS Directive and the NIS 2 Directive. Journal of Cybersecurity, 9(1), p.9

Valentino Lucini (2023). The Ever-increasing Cybersecurity Compliance in Europe: the NIS 2 and What All Businesses in the EU Should be Aware of. Russian Law Journal, 11 (6S). 149

Johan David Michels marks under-investment in cybersecurity and failure to disclose information on breaches as main problems of current cybersecurity regime, see: Michels, J.D. and Walden, I., 2020. Beyond "Complacency and Panic": Will the NIS Directive Improve the Cybersecurity of Critical National Infrastructure?. European Law Review. 28

Chapter VI of NIS2 (Information sharing) is dedicated to information sharing, coordination of actions and relevant procedures

Definition of single point of contact is contained in Paragraph 3 of Article 8 of NIS2: each EU Member State shall designate or establish a single point of contact (competent authority) that have adequate resources to carry out, in an effective and efficient manner, cybersecurity tasks

Preamble (40) and (70) of NIS2

Article 25 of NIS2

Article 24 of NIS2

The European Union Agency for Cybersecurity rank supply chain cyber-attacks as popular type of cyber threats, see: ENISA Threat Landscape 2023 (October 2023 report), page 7

Article 34 of NIS2 requires Member States to implement administrative fines of a maximum at least EUR 10m or 2% of total worldwide annual turnover whichever is higher – for essential entities (paragraph 4); for important entities (paragraph 5) fines are EUR 7m and 1,4% of turnover. Periodic penalties are also allowed (paragraph 6). While personal data breaches are still subject to GDPR penalties (Article 35 NIS2) with no double liability

Ferguson, D.D.S., 2023. The outcome efficacy of the entity risk management requirements of the NIS 2 Directive. International Cybersecurity Law Review, 4(4), pp.371-386. available at: https://link.springer.com/article/10.1365/s43439-023-00097-8 (date of access: 23 May 2024)