The new NIS2 Directive will replace the current NIS Directive on security of network and information systems.
Personal scope of the NIS2 Directive
The NIS2 Directive sets the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are classified as “Sectors of high critically” by the directive. Such sectors are the
- Energy,
- Transport,
- Banking,
- Financial market infrastructures,
- Drinking and wastewater,
- Digital infrastructure,
- Public administration, and
- Space sectors.
The new Directive introduces a size-cap rule as a general rule for identification of regulated entities, meaning that for eg. all the entities within the above-mentioned high critical sectors which provide their services or carry out their activities within the territory of the EU, and
- employ more than 50 persons, or
- whose annual turnover and/or annual balance sheet total does exceed €10 million fall within the scope of the Directive.
In certain cases, regardless of their size, entities are covered by the NIS2 Directive (for eg. providers of public electronic communications networks or of publicly available electronic communications services, trust service providers, top-level domain name registries and domain name system service providers, etc.).
The Directive also establishes the concept of 'Other critical sectors', which are also covered by the NIS2 Directive and include operations such as postal and courier services, waste management, or manufacturing services.
The Directive allows national authorities to determine further entities covered.
The text also clarifies that the Directive does not applies to entities carrying out activities in areas such as defence or national security, public security, and law enforcement. Judiciary, parliaments, and central banks are also excluded from the scope.
The NIS2 Directive, among other provisions,
- sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state in order to harmonise cybersecurity requirements and implementation of cybersecurity measures in different member states.
- has been aligned with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of criticalentities (CER), to provide legal clarity and ensure coherence between the Directive and these acts.
- streamlines the reporting obligations on significant incidents in order to avoid causing over-reporting and creating an excessive burden on the entities covered. The entities are obliged to submit (i) an early warning within 24 hours of becoming aware of the significant incident, and (ii) an incident notification without undue delay and in any event within 72 hours of becoming aware of the significant incident.
- establishes the European Cyber Crises Liaison Organisation Network (‘EU-CyCLONe’), which will support the coordinated management of large-scale cybersecurity incidents and crises.
- determines the general conditions for imposing administrative fines. The maximum of the amount of the administrative fines shall be at least
- in case of essential entities €10 million or 2% of the total worldwide annual turnover in the preceding financial year, whichever is higher.
- in case of important entities €7 million or 1,4% of the total worldwide annual turnover in the preceding financial year, whichever is higher
Member States obliged to establish a list of essential and important entities as well as entities providing domain name registration services by 17 April 2025 and shall review and update such list on a regular basis and at least every two years thereafter.
Member States are required to transpose the provisions necessary to comply with the NIS2 Directive by 17 October 2024 at the latest.
By Tímea Bana, Partner, Dentons