NIS2

The Network and Infrastructure Security 2 (NIS 2, often spelled as NIS2), coded Directive (EU) 2022/2555 is an European Union (EU) directive.

This post explains some aspects about this directive and their transpositions by EU member states.

Introduction NIS2

NIS2 directive was promulgated on 14 December 2022, together with other EU directives relevant to information security like DORA and CER.

NIS 2 is published in the document “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148“.

You can download and read NIS2 on this external link.

NIS2 Objective

NIS2 establishes a framework within the European Union in the following areas:

• For affected organizations:
  • Cybersecurity risk management
  • Cybersecurity notifications
  • Cybersecurity information exchange
• For EU member states:
  • Cybersecurity supervision and monitoring

Legislation before NIS2

NIS2 amends and repeals some existing legislation, including:

• Amends
  • Regulation (EU) 910/2014
  • Directive (EU) 2018/1972
• Repels
  • Directive (EU) 2016/1148 or Network and Infrastructure Security (NIS), that is colloquially and retroactively dubbed NIS1 to avoid confusions with NIS2.

NIS2 Scope

NIS2 applies to both public and private sector, but not as a whole.

NIS2 excludes some public sectors, including:

• Military
• Police
• Security forces
• Central banks
• Judiciary
• Parliaments

General conditions for companies:

1. It provides services or perform activities within UE
2. It works on any of the sectors defined in annex I or II
3. Company is medium-size or above

Regarding public and private organizations, it applies only to medium-size companies and above, as defined by the Annex of Recommendation 2003/361/EC.

Conditions of companies that are medium-size and above companies:

• Having more than 50 employees
• Having a total annual balance sheet (i.e., billing annually) of more than 10M €

However, there are some exceptions where NIS 2 must be applied regardless its size. You may check Article 2.

If an organization is applicable to CER, is also applicable to NIS 2.

NIS2 Authorities

Organizations will be compelled to report to member states’ CSIRTs.

The European cyber crisis liaison organisation network (EU-CyCLONe), is a cooperation network for Member States national authorities in charge of cyber crisis management. It was created in 2020.

ENISA will publish guidelines regarding NIS2.

NIS2 Obligations for Organizations

Common Obligations

Chapter IV is about obligations. Article 21

Main NIS2 obligations:

1. Liability of board of directors
2. Incident report in case of cybersecurity incident
3. Supply chain meeting NIS2

Liability of board of directors

Board of directors within organizations should approve and supervise technical, operative and organizational measure.

Incident report in case of cybersecurity incident

In case of a cybersecurity incident, organizations under the scope of NIS2 are required to informed their reference computer emergency response team (CSIRT) within the next 72 hours.

Supply Chain meeting NIS2

Providers in the supply chain of an organization under the scope of NIS2 could be required to meet NIS2 obligations.

Consequences of non-compliance of NIS2

Chapter VII is about consequences.

Difference between Essential and Important Entities

Obligations are different depending on whether they are essential or important entities. They are defined in Article 3 “Essential and important entities”.

Essential entities are those that meet certains conditions listed in the article 3, including:

• Organizations in a sector of Annex I and considered big size
• Trust service providers, domain name registries and DNS service providers
• Medium-sized providers of public electronic communication networks or services
• Entities of Central Government (Article 2(2), point (f)(i))
• Being under scope of CER directive
• Request by a member state

Big size companies are:

• Having more than 250 employees
• Billing annually more than 50M € or having a total annual balance sheet of more than 43M €

Important entities are those that cannot be qualified as essential entities.

Fines

In case of failing to meet NIS2 requirements, organizations should pay 2M € or 2% of annual revenue.

Transposition of NIS2 to EU Member States

In EU legal jargon, when a member state adopts the measures to comply with a directive we say that the member state is transposing the directive.

All EU member states should transpose EU directives before a deadline specified it the directive.

The deadline for member states to transpose NIS 2 is 14 October 2024.

Transposition of NIS2 to Spain

Spain is member of the EU since 1986, and it needs to adapt NIS 2 before the deadline.

NIS1 was transposed into the following laws:

• Real Decreto Ley 12/2018
• Real Decreto de desarrollo 43/2021

Because NIS1 has been updated with NIS2, these Spain laws should be updated.

Structure of NIS2 Directive Document

Chapter I summarizes the scope.

Chapters II and III only applies to member states and their agencies devoted to cybersecurity, not to private organizations or other public organizations.

Chapter IV summarizes the obligations.

You might also be interested in…

• General Data Protection Regulation (GDPR)
• CER
• DORA

External References

• EU; “NIS 2“; EU
• ENISA; “NIS Directive“; ENISA
• GlobalSuite Solutions; “NIS2, publicada la Directiva relativa a medidas de ciberseguridad“; Global Suite Solutions [Spanish]
• EY; “NIS2 supply chain“; EY