Strengthening Cybersecurity in Critical Sectors — What Changes will the NIS 2 Directive bring with it?

I. Overview

The digital transformation of the European Union is also progressing in the area of information and cyber security. For this reason, the “Directive on measures for a high common level of cybersecurity in the Union” (“NIS 2 Directive”) was published in the Official Journal of the EU on December 27, 2022, and came into force on January 16, 2023. The Member States now have until October 17, 2024 to transpose the requirements of the directive into national law.

II. Starting Point

With the creation of a legal framework for network and information security in the European Union through the NIS Directive in 2016, the Commission reacted to the growing threat to operators of essential services in critical sectors of becoming the victim of a cyber attack with unforeseeable consequences. The NIS Directive was implemented in Germany as part of the German IT Security Act 2.0 [IT-Sicherheitsgesetzes 2.0]. The enforcement of extensive security measures made an important contribution to improving the cyber resilience of these sectors. The trend towards global problems increasingly spreading to and being reflected in the digital space was demonstrated last year by the outbreak of the Russian war of aggression in Ukraine and the resulting specific threat to German critical infrastructures as well. As a result, the NIS 2 Directive creates higher security requirements for the companies within its scope and thus pursues the overall goal of further increasing the level of cyber security in the EU in order to meet future challenges.

III. Scope

A major innovation in the NIS 2 Directive is the significantly expanded group of addressees. The directive no longer distinguishes between “operators of essential services” and “digital service providers”, but classifies companies within its scope into “essential and important entities”, with implications for the resulting obligations and the supervisory and enforcement powers of the competent authorities. The EU-wide uniformity of this area of application is ensured in the NIS 2 Directive by the fact that it is finally defined in the NIS 2 Directive itself.

According to Art. 3 (1) NIS 2 Directive, all companies that exceed the threshold for “medium-sized enterprises” according to Art. 2 (1) of the Annex to Recommendation 2003/361/EC and those operating in one of the following “sectors of high criticality” are considered essential entities.

• Energy (electricity, district heating, oil, natural gas, hydrogen)
• Transport (air traffic, rail traffic, shipping, road traffic)
• Banking and financial market infrastructures
• Healthcare
• Drinking and waste water
• Digital infrastructure (inter alia, Internet exchange point providers, providers of cloud computing services, providers of data center services, trust service providers, providers of public electronic communication networks and services).
• Management of ICT services
• Public administration entities
• Space.

This also includes:

•  all qualified trust service providers and top-level domain name registries and DNS service providers, regardless of size;
• other entities of the type listed in Annex I or II that have been classified by a Member State as “essential entities”,
• Facilities classified as critical entities under Directive (EU) 2022/2557 (“Critical Entities Resilience Directive”)
• Operators of essential services under the NIS Directive.

According to Art. 3 (2) NIS 2 Directive, all other companies that are active in one of the sectors listed in Annex I or Annex II (other critical sectors) are considered to be “important entities”. This includes companies that fall within any of the above sectors but do not exceed the required threshold and companies operating in any of the sectors listed in Annex II. These include, in detail:

•  postal and courier services;
• waste management;
• manufacture, production and distribution of chemicals;
• production, processing and distribution of food;
• manufacturing industry/manufacturing of goods (including manufacturers of medical devices and in-vitro diagnostics, data processing equipment, vehicle manufacturers and mechanical engineering companies);
• digital service providers (online marketplaces, online search engines and social networks);

The 18 sectors of the NIS 2 Directive include the German critical infrastructure [KRITIS] sectors as well as the companies in the special public interest, but also go beyond these. In this respect, it can be expected that the sectors space travel, public administration, energy (hydrogen), health (medical devices and in-vitro diagnostics), research and ICT services that are not yet listed in the IT Security Act will be integrated into the new version of the Act.

IV. New Safety Requirements and Obligations for Member States and Entities

The NIS 2 Directive introduces a number of new obligations for Member States and those entities classified as essential or important entities.

1. National Cybersecurity Strategy and Strengthening State Cooperation

Art. 7 NIS 2 Directive obligates the Member States to adopt a national cyber security strategy. This is intended to identify the strategic goals and the resources required for them, as well as the political and regulatory measures that are considered necessary to achieve and maintain a high level of cyber security. In particular, this strategy should include concepts for protecting supply chains and strengthening cooperation between the public and private sectors in the prevention, safeguarding and restoration of cyber security in connection with security incidents.  
 
The NIS 2 Directive is also intended to strengthen cooperation between the Member States and for this purpose provides for the establishment of a cooperation group in Art. 14 for the purpose of strategic cooperation and information exchange as well as to strengthen trust.

In addition, ENISA will set up a European vulnerability database (Article 12) and introduce a peer review process (Article 19).

To ensure more effective crisis management, Member States must establish National Computer Security Incident Response Teams (CSIRTs). Significant security breaches must be reported to these Incident Response Teams by essential and important entities in a multi-stage process.

2.  Risk Management Obligations for Entities

In addition, the NIS 2 Directive includes a catalog of new obligations for essential and important entities. Art. 21 NIS 2 Directive provides, for example, that essential and important entities take suitable and proportionate technical, operational and organizational measures to ensure the security of the network and information systems. These measures must be based on a cross-hazard approach aimed at protecting the network and information systems and the physical environment of these systems from security incidents. Art. 21 (2) contains a catalog of aspects to be considered, which explicitly includes:

• backup management and emergency recovery of data as part of crisis management;
• supply chain security and security measures in the acquisition, development and maintenance of network and information systems;
• procedures for evaluating the effectiveness of risk management measures;
• production, processing and distribution of food;
• cyber hygiene;
• the use of cryptography and, if necessary, encryption; and
• multi-factor authentication processes.

In addition, essential and important entities according to Art. 23 Para. 1 NIS 2 Directive are to be obligated by the national implementation law to report “significant security incidents” to the responsible CSIRT or the responsible authority without undue delay. The specific prerequisites for such a reporting obligation to arise and the formal requirements to report are also set out in Art. 23 (3) and (4) of the NIS 2 Directive.

V. Stricter Supervisory and Sanctions Regime

The NIS 2 Directive includes a significant tightening of the supervisory and enforcement measures in relation to essential (Art. 32 NIS 2 Directive) and important (Art. 33 NIS 2 Directive) entities. Accordingly, when implementing the Directive, the Member States should ensure that, among other things, on-site inspections and spot checks can be carried out and that information and evidence of the implementation of the obligations of the addressees can be requested.

According to Art. 34 NIS 2 Directive, the Member States should also ensure that fines and penalties can also be imposed, whereby different maximum amounts should be taken into account for the latter in the case of essential and important entities according to Art. 34 (4) and (5).

If the competent authority determines that the enforcement measures taken against an essential institution are ineffective, it should be given the option according to Article 32 (5) b) NIS 2 Directive, and it should also be able to demand that natural persons who is responsible for managerial functions in this essential institution at the managerial or board level or the level of the legal representative may, in accordance with national law, request that the competent authorities or courts temporarily prohibit the exercise of managerial functions.

VI. What affected companies have to consider now

The Directive must be implemented by the Member States by October 17, 2024. The IT Security Act 2.0 already brought a large number of new obligations in the area of cyber security for the companies affected. These are, once again, massively expanded by the provisions of the NIS 2 Directive. In addition to a detailed analysis of the existing security measures and compliance with international standards and norms on information security, it should be checked at an early stage which of the additional obligations can be met by implementing new security processes. Establishing and operating an effective information security management system is a costly and labor-intensive process, which is why affected companies should not delay the implementation of the measures required of them in the future and be prepared for an increase in the overall cybersecurity budget.