Hacking NIS2: 5 innovations about the sequel to the EU’s cybersecurity framework
July, 2024 - Jan Clinck
NIS2 (the second “Network and Information Systems Directive”) is an updated regulatory framework introduced by the European Union tostrengthen cybersecurityacross member states. It is a successor to the original NIS Directive, which was adopted in 2016. NIS2 aims to address the evolving (geopolitical) landscape of cyber threats by drasticallyexpanding the scopeof the original directive, introducingstricter requirementsandhigher penalties(including personal liability for management bodies).
The Belgian implementation Act and implementing Royal Decree were recently published in the Belgian State Gazette. The Belgian NIS2 framework has thus taken further shape. This is, in contrast to many other Member States, well ahead of its entry into force on18 October 2024.
Be aware that the framework is not yet finished. As we speak, the EU Commission is working on implementing acts laying down the technical and the methodological requirements for specific types of entities.
This blog highlights5 innovations.
Innovations #1: the introduction of “important entities”
NIS1 focused on operators of essential services. NIS2 introduces a second category. Now two types of entities fall within the scope: “essential entities” and “important entities”.
Whether a company qualifies as any of these entities will, mainly, depend on:
- The entities’ activities: If an entity undertakes activities from a sector listed in one of the two annexes to the NIS2 Act (see below), then a company will be eligible to be covered.
- The size of the enterprise: in general, only large enterprises fall within the NIS2’s scope, so most SMEs are excluded.
Note: There are several exceptions (for example, some activities fall within the scope regardless of the entity’s size). In addition, supervisory authorities can also decide that, under certain circumstances, an entity falls under NIS2.
Whether and to what extent a company falls under NIS2 can therefore be a complex exercise.
Innovation #2: more sectors and activities are covered
NIS2 identifies “highly critical sectors” (Annex I) and “other critical sectors” (Annex II). When having a look at these two annexes, one will notice that the NIS2 Act encompasses asignificantly broader range of applicationthan its predecessor: NIS2 not only expands sectors that were already mentioned in NIS1 (for example, the “health” sector now also includes laboratories and pharmaceutical companies), it also adds a whole range of new sectors (for example, space, food and manufacturing):
Annex I: Highly Critical Sectors
- Energy(electricity, district heating and cooling, oil, gas, hydrogen)
- Transport(air, rail, water: maritime navigation, road)
- Banking
- Financial market infrastructure
- Health(hospitals, laboratories and pharma)
- Drinking water
- Waste water
- Digital infrastructure(internet exchange points, DNS services, datacenters, cloud providers, communication networks, etc.)
- (B2B) ICT service management
- Public administration(s)
- Space
Annex II: Other Critical Sectors
- Postal and courier services
- Waste management
- Chemical industry(manufacture, production and distribution)
- Food(production, processing, distribution)
- Manufacturing(of medical devices, of computer and electronics, machinery and equipment, motor vehicles and trailers, other transport equipment)
- Digital providers(online marketplaces, search engines, social networks)
- Research organisations
Innovation #3: new and broader obligations (registration, risk management, reporting and conformity assessments)
Exactly which obligations an entity must comply with depends on its qualification as an “essential” or “important” entity.
Both types of entity should in any case:
- Registerthemselves with the cybersecurity authority.
- Takeappropriate cybersecurity risk managementmeasures,such as incident handling, business continuity, cyber hygiene and supply chain security. The latter, an innovation in NIS2, implies that an entity must monitor the cybersecurity of ‘direct suppliers and service providers’.
- Reporting requirementsfor “significant incidents”. Within specific time frames of 24 hours, 72 hours, and one month after the incident, entities must report on aspects such as the existence, occurrence, and scope of incidents to the national computer security incident response team. Where necessary, they should also notify their service recipients if they are at risk due to the incident and advise on measures to mitigate this risk.
Furthermore, essential entities have the obligation to conductregular conformity assessments. Important entities can voluntarily undergo such assessments. The Royal Decree has set out further the modalities and timings to comply with this obligation.
Innovation #4: enforcement by sectoral authorities
The NIS2 enforcement-structure has also undergone an interesting update. As was the case under NIS1, theBelgian Centre for Cybersecurity(“CCB”) will still hold the scepter in enforcing NIS2 in Belgium. However, besides central enforcement by the CCB, NIS2 introduces the possibility for enforcement delegation tosectoral authorities, each for their own material sector. The exact extent of this cooperation and delegation from the CCB to these sectoral authorities is subject to cooperation agreements, which are yet to be concluded. The recently-published Royal Decree indicates that it concerns the following sectoral authorities:
- For the transport sector:The Federal minister responsible for Transport or the Federal minister responsible for Maritime Mobility
- For the healthcare sector, including manufacture of medical (in vitro-)devices:The Federal Agency for Medicines and Health Products (“FAGG”) and the Federal minister responsible for Public Health
- For the digital sectors:The Federal minister responsible for the Economy
- For the space sphere and research sectors:The Federal minister for Science Policy
Innovation #5: higher fines and personal liability
NIS2 also differs from its predecessor in the stringency of sanctions authorities can impose. In addition to warnings, binding instructions and having to tolerate having an auditing officer on your premises, entities can face fines of up to 10 million euros or 2% of annual turnover for failing to comply with certain obligations.
A remarkable feature in this respect is the personal liability for members of management bodies. This fits in with the philosophy of bringing awareness about cybersecurity to top management as well.
In conclusion
The NIS2 Directive imposes a wide range of obligations on an even broader range of sectors to enhance cybersecurity within the EU. As such, it is important for organisations to understand which category they belong to and what specific obligations apply to them. Cyber-proactivity will not only avoid possible enforcement action but also increase their resilience against domestic and foreign cyber threats. Do you have questions about how to comply with the NIS2 Directive? Our experts, Jan Clinck ([email protected])and Erika Ellyne ([email protected]), are ready to provide advice and support.