New Obligations and Regulation of your Cybersecurity Risk Management Systems

This summer, political agreement was reached between the EU Commission, Parliament and Council on the further strengthening of cybersecurity at an EU level through the Network and Information Security Directive 2 (“NIS2 Directive”). 

Adopted in 2016, the Network and Information Security Directive (“NIS Directive”) was the first piece of EU-wide legislation relating to cybersecurity. Its future successor, the NIS2 Directive, will build on that with the goal of improving the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.  

The NIS2 Directive will set minimum standards for cybersecurity risk management measures and reporting obligations on sectors covered by it. The list of sectors coming within the remit have been increased, and it provides for remedies and actions to ensure enforcement. 

Under the NIS Directive, member states determined which entities would qualify as operators of essential services. The NIS2 Directive significantly erodes this discretion, expands the number of sectors covered (from 19 to 35), and introduces a size-cap to bring all medium-sized and large entities within its scope. These are entities having at least 50 employees and a minimum turnover of €10m per year. Sectors include: health; data centre service providers; energy; banking; manufacture of pharmaceutical products; public administration; and waste management. 

The NIS2 Directive strengthens available sanctions for non-compliance or failure to co-operate by relevant entities. Companies can be subject to fines of between 1.4% and 2% of turnover or €10m with accountability of top-management for non-compliance. Formal adoption of NIS2 is expected by Q4 2022, with implementation at a national level by member states by H2 2024.

Additional requirements will arise for risk management frameworks in the financial sector through the European Commission’s Digital Operational Resilience Act (“DORA”) which will overlap with the NIS2 Directive and will have a similar implementation date in H2 2024.

Please contact ByrneWallace LLP Partner and Head of Litigation and Dispute Resolution, Jon Legorburu, Partner and Head of Technology, Victor Timon or a member of the ByrneWallace LLP Cyber Security, Privacy and Data Protection team to learn how we can assist you and your organisation to ensure readiness for increased cybersecurity threats and regulation.