NIS-2 Directive: New provisions to strengthen cyber resilience and security
The Directive on measures for a high common level of cybersecurity across the Union ("NIS-2 Directive") published in the Official Journal of the European Union on December 27, 2022, aims to harmonize cybersecurity requirements in the EU and imposes new cybersecurity obligations on companies. It will replace the previously applicable NIS Directive.
This former directive, which has now been repealed, left the Member States very wide scope for implementation. This led to national differences, for example, in the scope of application and obligations for companies, but also in supervision and enforcement. The aim of the NIS-2 Directive is to eliminate this fragmentation of the European single market between the Member States. A uniform legal framework is to be established to ensure a consistent level of cyber resilience in the European single market.
To this end, a number of measures are envisaged at national level, as well as cooperation between EU states. For example, each Member State is to adopt a national cybersecurity strategy and set up computer security incident response teams (CSIRTs), which will work together in a network at the Union level. There are also provisions for the creation of a European vulnerability database, the establishment of a Cooperation Group to share information among Member States, and the creation of a European network to share information and manage cyber crises.
Who does the NIS-2 Directive apply to?
The NIS-2 Directive establishes uniform criteria for the scope of application and extends it to an even larger part of the economy. Compared to the NIS Directive, the list of critical sectors has been extended, so that in the future more companies will fall within the scope than before.
The entities addressed by the Directive are public and private entities as well as entities operating in the EU belonging to the critical sectors listed in Annex I and II of the Directive. These include, among others, energy, transport, banking, financial market infrastructures as well as health and digital infrastructure as sectors with high criticality. New additions include the sectors of waste water, public administration and space, as well as ICT service management.
However, the aforementioned entities in principle only fall within the scope of application if they also exceed the thresholds for medium-sized enterprises according to the Commission's definition of SMEs. This currently applies to companies in the aforementioned sectors with more than 50 employees and an annual turnover or annual balance sheet of more than 10 million euros.
Nevertheless, the directive also applies to certain entities of criticality, regardless of their size. This applies, for example, to certain providers of communications networks and communications services, trust service providers or TLD name registries, and DNS providers. This means that in these areas, micro and small enterprises may also be covered by the Directive.
Essential and important entities
The Directive also distinguishes between essential and important entities (Art. 3 NIS-2 Directive), whereby the classification is based on the degree of criticality of the sector and affects, among other things, the scope of the measures that can be taken by the national authorities. Essential entities are in particular those listed in Annex I. These include, for example, sectors such as energy, transport, health, and digital infrastructure. In addition, entities may also be designated as essential by Member States.
Important entities, on the other hand, include those from the sectors listed in Annex I or II that are not considered essential according to the criteria of the Directive. These include, in particular, the other critical sectors listed in Annex II, such as postal and courier services, the manufacture of certain goods (for example, medical devices, computer and electronic products and motor vehicles) and digital providers.
The NIS-2 Directive imposes wide-ranging obligations on the entities falling within its scope. Essential and important entities must adopt cybersecurity risk management measures that include a number of requirements (Art. 21 (2) NIS-2 Directive). These include, but are not limited to, cybersecurity policies and cybersecurity awareness training. In addition, essential and important entities may be required to use specific ICT products, services and processes certified with respect to cybersecurity (Art. 24 (1) NIS-2 Directive).
In the case of significant security incidents, as defined in more detail in Art. 23 (3) NIS-2 Directive, essential and important entities are also required to notify the competent authority. An early warning must be made without undue delay, and in any event within 24 hours of becoming aware of the incident. A second notification with an initial assessment of the incident must be submitted within 72 hours. A final report must be submitted to the competent authority no later than one month after the incident. Where applicable, essential and important entities must also inform the recipients of their services themselves of significant cyber threats (Art. 23 (2) NIS-2 Directive). The Commission may adopt implementing acts further specifying the type of information and the form of notification.
Measures and sanctions
The NIS-2 Directive has a considerable regime of measures and sanctions, which varies depending on the classification of the affected entity.
Possible measures include on-site inspections and targeted security audits (the costs may have to be borne by the audited entity). Authorities may request information and request access to data, documents, and other information. This includes requesting evidence of the implementation of cybersecurity policies. Further, the competent authorities have, among other things, the power to issue warnings and issue several orders.
More far-reaching measures can be taken against essential entities, such as ad hoc audits, random checks or regular security audits. The authority can also require them to designate a monitoring officer and, under certain conditions, even temporarily suspend certification or authorisation (Art. 32 (5) (a) NIS-2 Directive).
Fines for non-compliance with risk management measures and reporting obligations may be imposed on essential entities of at least up to 10 million Euros or 2% of the previous year's global turnover, whichever is higher. Fines of at least up to 7 million Euros or 1.4% of the previous year's global turnover may be imposed on important entities.
In contrast to the possible fines under the GDPR, fines under the NIS-2 Directive are not imposed "in addition to or instead of measures," but "in addition to any of the measures" referred to in Art. 34 (2) of the NIS-2 Directive.
In relation to the GDPR, it should also be noted that an infringement which has already led to a GDPR fine cannot be sanctioned again with a fine under the NIS-2 Directive, even if the conduct itself constitutes an infringement of regulations under that Directive (Art. 35 (2) NIS-2 Directive).
Relationship to data protection law
The NIS-2 Directive is without prejudice to the GDPR (Recital 14 NIS-2 Directive) and refers in several places to its provisions on the protection of personal data. Since the processing of personal data under the Directive is subject to the GDPR, the entities and bodies referred to in the NIS-2 Directive may process personal data only in accordance with the GDPR (Art. 2 (14) NIS-2 Directive). Recital 121 NIS-2 Directive indicates that a legal obligation (Art. 6 (1) (c) and Art. 6 (3) GDPR) or a legitimate interest (Art. 6 (1) (f) GDPR) could be considered as a legal basis for processing personal data when it comes to ensuring the security of network and information systems.
Competent authorities under the NIS-2 Directive should cooperate with data protection authorities (Recital 108 and Art. 31(3) NIS-2 Directive) and report data protection breaches to them (Art. 35 NIS-2 Directive).
Further procedure and recommendations
The NIS-2 Directive was published in the Official Journal of the European Union on 27 December 2022 and entered into force on 16 January 2023. Thereafter, Member States must transpose the rules into national law by 17 October 2024. From the day following this deadline, the regulations are applicable domestically.
Due to the far-reaching requirements of the NIS-2 Directive and the foreseeable time until implementation in national law, we advise acting on the new regulations at an early stage.
ECJ ruling on VIN and general aspects of the term 'personal data'
The consequences of the ECJ's decision in Case C-319/22 (also referred to as the ‘Scania case’) of November 9, 2023 will certainly be discussed in the data protection scene for a long time to come. It is already visible that the judgment creates big waves in the automotive industry and related sectors, but also in the data protection community in general. However, it seems doubtable whether this is justified or whether essentially the same aspects as before the decision must be taken into account when clarifying the question of the existence of personal data. In the exact case dealt with by the ECJ, it will first be decided by the Regional Court of Cologne whether the VIN is indeed personal data for vehicle manufacturers and independent operators. The ECJ ruling itself does not yet provide a direct and unambiguous answer
Advocate General at the CJEU: Concerning the appropriateness of technical and organisational measures and compensation for non-material damages in the event of a hacker attack
Advocate General at the Court of Justice of the European Union (CJEU), Giovanni Pitruzzella, published his opinion in case C-340/21 on 27. April 2023 regarding the conditions for compensation for non-material damages and the burden of proof for the appropriateness of technical organizational measures (TOMs) under Art. 32 GDPR in connection with a hacker attack.