Management Beware: NIS 2 Directive foresees liability of management of companies
What is NIS 2?
NIS 2 stands for the 2022 European Union’s Network and Information Security Directive. It amends and updates the NIS Directive from 2016, modernising the existing legal framework to meet the demands of increased digitalisation and cybersecurity across the European Union.
The NIS 2 distinguishes between (i) essential entities and (ii) important entities based on the sector and size of the operators. The same substantive obligations apply to both essential and important entities, but essential entities are subject to stricter enforcement and oversight obligations.
Essential and important entities are obliged to take technical, operational and organizational measures to manage risks to their network and information systems, and to minimize the impact of potential incidents on users of the entity’s service.
However, the NIS 2 also introduces a requirement to implement baseline security measures to address specific risks. The companies are required to implement policies on risk analysis and information security, incident handling, business continuity, supply chain security, information systems development practices including vulnerability disclosure, cryptography, encryption, and multifactor authentication and many others.
TIMING is KEY
- By 17 October 2024, Member states must transpose NIS2 provisions into national law;
- Slovakia will adopt the Directive by amending its Cybersecurity Act effective from 1 January 2025.
There will be a VERY SHORT DEADLINE (60 days) to register your company within the national register, therefore, you need to start preparing as much as possible now (!).
Which companies are subject to the NIS 2 requirements
First ALTERNATIVE:
If your company has a workforce of more than 50 employees, has an annual net turnover or balance sheet exceeding € 10 million and operates in one or several of the
“high level critical sectors”
- energy,
- transport,
- banking,
- financial markets infrastructure,
- health,
- drinking water, wastewater, atmosphere,
- digital infrastructure,
- outsourced ICT services,
- public administration, or
- space-based services,
OR in one or several of the
“other critical sectors”
- postal and courier services,
- waste management,
- production and distribution of chemicals,
- production, processing and distribution of food,
- manufacturing of
- medical devices and in vitro diagnostic medical devices,
- computer, electronic and optical products,
- electrical equipment,
- machinery and equipment not elsewhere specified,
- motor vehicles, trailers and semi-trailers, or
- other transport means,
- digital providers, or
- research
your company meets the criteria for an IMPORTANT entity, and therefore is required to be NIS 2 compliant.
Second ALTERNATIVE
If your company has a workforce of more than 250, has an annual net turnover more than € 50 million or balance sheet total exceeding € 43 million, and operate in the
“high level critical sectors”
- Energy
- Transport
- Banking
- Financial markets infrastructure
- Health
- Drinking water, waste water, atmosphere
- Digital infrastructure
- Outsourced ICT services
- Public administration
- Space-based services,
your company meets the criteria for an ESSENTIAL entity, and therefore is required to be NIS 2 compliant.
Please note that even if your company is certified for ISO 27001, this will cover only 70% of the NIS 2 requirements.
Even should your company not fallwithin the scope of the NIS 2 directive, it is very possible that some of your customers or business partners may be classified as important or even critical or essential entities according to NIS 2.
Given the strict requirements for supply chain security, your contractual partners who fall under the scope of the NIS 2 directive as essential or important entities:
- will have to implement new security controls and meet cyber incident response requirements which will affect you as supplier of such goods or services as mentioned above (which means that you should be prepared for a revision of existing contracts),
- will demand compliance and probably contractual guarantees of NIS 2 compliance from YOUR company. Essential and critical entities will be under a statutory duty to require your company to meet the f higher legal & IT security standards as stipulated by NIS 2.
SANCTIONS:
- Hefty fines of up to EUR 10,000,000 or 2% of the annual turnover;
- prohibiting your company to provide important/essential/critical services;
- liability of the statutory body of the company;
- ban on functions in the statutory body (in case of essential services);
- prohibiting the employee responsible for the concerned essential service its further provision.
The statutory body is responsible for registering the company as the essential/important entity with the (national) register of the essential or important entities maintained by the National Security Office. Failure to comply with this obligation can lead to a fine of up to € 500,000 (!).
In addition to the duty of registering, the statutory body must approve the risk management measures and monitor their implementation, as otherwise they may be held personally liable.
OUR EXPERTS at bnt attorneys at law will help your company to fulfil the NIS 2 legal requirements. Further, we closely cooperate with a specialized IT firm focused on NIS 2 implementation, therefore we are in a position to FULLY COVER both the legal as well as the technical issues required by the implementation of NIS 2.
bnt services – what we offer you to get prepared for NIS 2?
- Legal and IT audit of your company – what documents are already in the company and what is still needed; this includes the evaluation of your security controls and developing changes to its security, risk management and incident response policies to achieve and document compliance with NIS2 requirements;
- Preparation or amendment of new policies mandatory and recommended under NIS 2 (we cover both the legal as well as the IT implementation); even if you already have a business continuity and crisis management plan in place, there are further mandatory policies, that must be adopted in your company depending on the cybersecurity risks;
- Be reminded that ISO 27001 will not cover all your NIS 2 obligations; we will compare what measures have already been implemented following the ISO 27001 certification and assess its effectiveness of the implementation of this standard in your company;
- Trainings: for statutory body members, senior managers, CISO (Chief Information Security Officer) and your HR (!) on the new policies;
- Vulnerability management;
- Revision of supply chain contracts: Existing contracts should be reviewed to ensure they meet the NIS 2 requirements and renegotiated if necessary. Simple information security clauses may be sufficient in rare cases. Detailed contractual provisions or annexes on cyber-, IT- and information security will be required. These should at least include specific measures to be taken by your company, including amendment obligations, audit rights and duties to provide information.
- National registration of your company as important/essential entity.
- Other related IT & Legal services connected with NIS 2 and the Cyber Security Act requirements.
We will we happy to arrange a joint meeting (online or in person) to discuss specific measures your company should adopt or improve and how we can help your from legal and technical perspectives.
SOURCE
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
LP/2024/264 Act amending Act No. 69/2018 Coll. on cyber security and amending and supplementing certain acts