Europe’s Cybersecurity Puzzle: NIS2 Progress in 30 Pieces

NIS2 applies to wide range of entities operating across various sectors and industries, including:

• Digital infrastructure (including data center providers, providers of public electronic communications networks, cloud computing service providers),
• ICT service management (managed service/security service providers),
• Digital providers (including providers of online marketplaces and social networking services platforms),
• Manufacturing (e.g., industrial machinery and equipment, motor vehicles, computer, electronic and optical products, chemicals (including production and distribution)),
• Energy,
• Space,
• Transport,
• Health,
• Banking,
• Research,

…and more,

where those entities meet the size thresholds for medium or large enterprises and provide their services or conduct their activities within the EU. In addition, the NIS2 Directive applies to certain types of entities regardless of size, such as those designated as critical entities under the CER Directive.

Finally, even if your company is not directly regulated under NIS2, it may be indirectly impacted through business relationships with entities that are. This includes various cybersecurity program obligations they will be required to flow down to you as part of securing their supply chain.

Include registration, implementation of cybersecurity risk-management measures, incident reporting, supply chain security, and adoption of governance measures.

The NIS2 Directive imposes personal liability on individuals within the management structures of NIS2-covered entities. The national laws transposing NIS2 that have been finalized so far include specific provisions confirming that individuals may have personal liability for violations of NIS2.

Importantly, personal liability extends beyond the board of directors and may apply to any individual acting as a legal representative with the authority to represent the company, to make decisions on its behalf, or exercise control over it. Depending on the local implementation, this may also include members of senior management.

In the local NIS2 transpositions, we have seen several significant local deviations businesses need to look out for.

• In particular, in a registration process (e.g., through platform v direct communication with the authority via email) and special requirements (e.g., some countries require a locally based representatives/points of contact for certain foreign entities).
• When adjusting the incident response processes, businesses must also review local incident reporting requirements (e.g., incident reporting thresholds) as some countries decided to specify these in the secondary legislation.
• Some countries also require cybersecurity risk-management requirements going beyond the NIS2 Directive (e.g., Hungary and Malta) and have introduced mandatory periodic external audits (e.g., Belgium, Hungary and Slovenia).
• In scope, for example, the Slovak implementation of the NIS2 Directive imposes an obligation on entities covered by NIS2 and subject to the Slovakian NIS2 law to provide the Slovak authorities with a list of all particularly significant suppliers involved in the delivery of their services. These listed suppliers then themselves become subject to the Slovakian NIS2 law. This has a significant impact e.g., on digital infrastructure providers (such as cloud providers) that could otherwise qualify for the NIS 2 one-stop shop mechanism and only report to a single EEA regulator, as they also become regulated by the Slovak NIS2 rules. This also increases the risk for those providers who are potentially subject to NIS2 but may not have registered with the local regulator yet.

For essential entities, national authorities have the power to enforce the rules with administrative fines of a maximum of at least EUR 10 000 000 or of a maximum of at least 2 % of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher.

Jurisdiction for enforcing NIS2 compliance, including against individuals responsible for compliance failures, depends on the service provided by the NIS2-covered company provided. As a general rule, NIS2 covered entities will be under the jurisdiction of the member state in which they are established. For certain types of services, there are, however, some specifics:

• For digital services (e.g., online marketplace and social networking services platform) as well as other one-stop-shop services (like data centers, cloud computing providers, etc.), only the jurisdiction of the main establishment will be relevant.
• For telco providers, jurisdiction lies with each EEA Member State where the service is provided (therefore potentially all 30 Member States).