To address the expanding cyber-threat landscape and the emergence of new challenges, the European Union has adopted new legislation to ensure a uniform high level of cybersecurity across the union. The NIS 2 Directive (Directive 2022/2555) replaces the previous NIS 1 Directive (Directive (EU) 2016/1148).

The NIS 2 Directive introduces significant changes compared to its predecessor NIS 1. What you need to know:

  • management board members can be held liable for non-compliance with cybersecurity requirements
  • the scope of the directive has been expanded to include more sectors and entities
  • requirements for cybersecurity governance and risk management measures have been enhanced
  • new, stricter deadlines for reporting cybersecurity incidents have been established
  • supervision mechanisms have been strengthened, with the possibility of significant enforcement measures and fines up to EUR 10 million, or 2% of worldwide annual turnover

In order to prepare for the NIS 2 Directive, organisations should:

  1. assess whether they fall within the scope of the new NIS 2 Directive and in which countries
  2. map out the obligations applicable to their organisation
  3. take into account any additional measures set forth under national law

Scope of application

The NIS 2 Directive has a broader scope than the earlier NIS 1 Directive. Annex I lists sectors of high criticality, which can be classified as either essential or important entities based on their total annual revenue and size.

Both essential and important entities are required to comply with the same measures. However, essential entities are subject to more intensive supervision.

The NIS 2 Directive does not apply to micro or small entities (as defined by Commission Recommendation 2003/361/EC of 6 May 2003), nor to entities operating in the fields of national security and defence, public security, the judiciary, or law enforcement.

Main requirements under the NIS 2 Directive

Governance

Management will be required to take an active role in cybersecurity. The management bodies of the entities under the scope of application of the NIS 2 Directive must approve their cybersecurity risk management measures and attend specific cybersecurity-related trainings. They are also responsible for overseeing the implementation of these measures and can be held liable for any violations.

Cybersecurity risk management

Essential and important entities are required to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the network and information systems they use in the provision of their services.

The measures should include, inter alia, risk analysis and information system security policies, incident handling, business continuity (e.g. backup management, disaster recovery and crisis management), developing and maintaining security during acquisition of network and information systems, basic cyber-hygiene practices and cybersecurity training, etc.

The proportionality of measures depends on the entity’s risk exposure, size, and the likelihood and severity of potential incidents, including their societal and economic impacts.

Incident reporting

The entities under the scope must notify the national competent authorities or the CSIRTs of any cybersecurity incident having a significant impact on the provision of their services. Entities in scope must submit an initial notification within 24 hours of becoming aware of an incident, a detailed report within 72 hours, and a final report within one month.

Certification schemes

Member states may require essential and important entities to use certain ICT products, ICT services and ICT processes that have been certified by European cybersecurity certification schemes.

Sanctions & fines

Fines for essential entities can be up to EUR 10 million, or 2% of the entity’s total worldwide annual turnover from the previous financial year, whichever is higher. Important entities will be subject to fines of up to EUR 7 million, or 1.4% of their total worldwide annual turnover from the previous financial year, whichever is higher.

If the company has already been fined for conduct of this kind under the GDPR (e.g. if the infringement also entails a personal data breach), it will not face another fine for it under the NIS 2 Directive. However, competent authorities may still impose enforcement measures. Enforcement measures may, for example, include binding instructions on cybersecurity, an order to cease any conduct that is non-compliant with the NIS 2 Directive, or an order to the entity to inform affected parties about significant cyber-threats and to designate a monitoring officer to oversee compliance.

Legislative timeline

The NIS 2 Directive needs to be transposed into national legislation by 17 October 2024; however, implementation status varies from country to country.

Estonia

The draft act to implement the NIS 2 Directive in Estonia was published in December 2024 and entered the public consultation phase. It is anticipated that it will go through the legislative process in the parliament during the first half of 2025, with expected entry into force on 1 July 2025. According to the planned timeline, entities within its scope must be identified within six months of the act’s entry into force, so by early 2026.

Latvia

On 20 June 2024, the National Cybersecurity Law, which implements the NIS 2 Directive in Latvia, was published. The National Cybersecurity Law came into force on 1 September 2024. Supplementary rules regarding minimal cybersecurity requirements were published for public discussion, which was open until 17 July 2024. Supplementary rules regarding minimal cybersecurity requirements are still under discussion and no final draft law has been published yet.

Lithuania

The transposition of the NIS 2 Directive has been adopted as an amendment (new edition) of the Law on Cybersecurity, which became valid on 25 July 2024 and entered into force on 18 October 2024. Additional sub-statutory acts (secondary legislation) regulating various details and sector-specific matters, including a description of cybersecurity requirements, were also adopted and came into force on 18 October 2024.

Need help ensuring cybersecurity compliance or managing risk? Our team of experts is at your service.