ALTIUS/Tiberghien
  July 17, 2024 - Belgium

Hacking NIS2: 5 innovations about the sequel to the EU’s cybersecurity framework

Introduction

NIS2 (the second “Network and Information Systems Directive”) is an updated regulatory framework introduced by the European Union tostrengthen cybersecurityacross member states. It is a successor to the original NIS Directive, which was adopted in 2016. NIS2 aims to address the evolving (geopolitical) landscape of cyber threats by drasticallyexpanding the scopeof the original directive, introducingstricter requirementsandhigher penalties(including personal liability for management bodies).

The Belgian implementation Act and implementing Royal Decree were recently published in the Belgian State Gazette. The Belgian NIS2 framework has thus taken further shape. This is, in contrast to many other Member States, well ahead of its entry into force on18 October 2024.

Be aware that the framework is not yet finished. As we speak, the EU Commission is working on implementing acts laying down the technical and the methodological requirements for specific types of entities.

This blog highlights5 innovations.

Innovations #1: the introduction of “important entities”

NIS1 focused on operators of essential services. NIS2 introduces a second category. Now two types of entities fall within the scope: “essential entities” and “important entities”.

Whether a company qualifies as any of these entities will, mainly, depend on:

  1. The entities’ activities: If an entity undertakes activities from a sector listed in one of the two annexes to the NIS2 Act (see below), then a company will be eligible to be covered.
  2. The size of the enterprise: in general, only large enterprises fall within the NIS2’s scope, so most SMEs are excluded.

Note: There are several exceptions (for example, some activities fall within the scope regardless of the entity’s size). In addition, supervisory authorities can also decide that, under certain circumstances, an entity falls under NIS2.

Whether and to what extent a company falls under NIS2 can therefore be a complex exercise.

Innovation #2: more sectors and activities are covered

NIS2 identifies “highly critical sectors” (Annex I) and “other critical sectors” (Annex II). When having a look at these two annexes, one will notice that the NIS2 Act encompasses asignificantly broader range of applicationthan its predecessor: NIS2 not only expands sectors that were already mentioned in NIS1 (for example, the “health” sector now also includes laboratories and pharmaceutical companies), it also adds a whole range of new sectors (for example, space, food and manufacturing):

Annex I: Highly Critical Sectors

  1. Energy(electricity, district heating and cooling, oil, gas, hydrogen)
  2. Transport(air, rail, water: maritime navigation, road)
  3. Banking
  4. Financial market infrastructure
  5. Health(hospitals, laboratories and pharma)
  6. Drinking water
  7. Waste water
  8. Digital infrastructure(internet exchange points, DNS services, datacenters, cloud providers, communication networks, etc.)
  9. (B2B) ICT service management
  10. Public administration(s)
  11. Space

Annex II: Other Critical Sectors

  1. Postal and courier services
  2. Waste management
  3. Chemical industry(manufacture, production and distribution)
  4. Food(production, processing, distribution)
  5. Manufacturing(of medical devices, of computer and electronics, machinery and equipment, motor vehicles and trailers, other transport equipment)
  6. Digital providers(online marketplaces, search engines, social networks)
  7. Research organisations

Innovation #3: new and broader obligations (registration, risk management, reporting and conformity assessments)

Exactly which obligations an entity must comply with depends on its qualification as an “essential” or “important” entity.

Both types of entity should in any case:

Furthermore, essential entities have the obligation to conductregular conformity assessments. Important entities can voluntarily undergo such assessments. The Royal Decree has set out further the modalities and timings to comply with this obligation.

Innovation #4: enforcement by sectoral authorities

The NIS2 enforcement-structure has also undergone an interesting update. As was the case under NIS1, theBelgian Centre for Cybersecurity(“CCB”) will still hold the scepter in enforcing NIS2 in Belgium. However, besides central enforcement by the CCB, NIS2 introduces the possibility for enforcement delegation tosectoral authorities, each for their own material sector. The exact extent of this cooperation and delegation from the CCB to these sectoral authorities is subject to cooperation agreements, which are yet to be concluded. The recently-published Royal Decree indicates that it concerns the following sectoral authorities:

Innovation #5: higher fines and personal liability

NIS2 also differs from its predecessor in the stringency of sanctions authorities can impose. In addition to warnings, binding instructions and having to tolerate having an auditing officer on your premises, entities can face fines of up to 10 million euros or 2% of annual turnover for failing to comply with certain obligations.

A remarkable feature in this respect is the personal liability for members of management bodies. This fits in with the philosophy of bringing awareness about cybersecurity to top management as well.

In conclusion

The NIS2 Directive imposes a wide range of obligations on an even broader range of sectors to enhance cybersecurity within the EU. As such, it is important for organisations to understand which category they belong to and what specific obligations apply to them. Cyber-proactivity will not only avoid possible enforcement action but also increase their resilience against domestic and foreign cyber threats. Do you have questions about how to comply with the NIS2 Directive? Our experts, Jan Clinck ([email protected])and Erika Ellyne ([email protected]), are ready to provide advice and support.