The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to increase the overall level of cybersecurity in the EU by modernizing the existing legal framework, broadening the scope of covered entities, and specifying high fines (2% or EUR 10 million for essential entities, or 1.4% of global annual turnover or EUR 7 million for important entities), directly involving the board members of covered organizations and holding them accountable for any breach of the legal framework established by the new Directive.
Companies covered by the NIS2 Directive are those operating in one of the sectors listed in Annex I or II of the NIS2 Directive and either: (a) have at least 50 employees or an annual turnover or balance sheet total of more than EUR 10 million (the organization is an important entity), or have more than 250 employees or (b) a net turnover of more than EUR 50 million and a balance sheet total of more than EUR 43 million (the organisation is an essential entity).
Annex I of NIS II lists the essential entities, which are energy, transport, banking, financial market infrastructure, healthcare, drinking water, digital infrastructure, ICT services (B2B), wastewater, public administration, and space activities, while Annex II of the Directive lists the important entities, which are digital providers, postal and courier services, waste management companies, manufacturing, production and distribution of chemicals, production, processing, and distribution of food and research. Finally, there is an additional category of micro and small enterprises that are automatically covered by the NIS2 Directive: trust service providers, top-level domain name registries, domain name registration service providers, providers of public electronic communications networks, and providers of publicly available electronic communications services.
The main obligations imposed by the new directive are the obligation to carry out a risk assessment and determine the implementation of appropriate cybersecurity measures (duty of care), the obligation to report within 24 and 72 hours any cybersecurity incident that (may) significantly disrupt the provision of essential services (duty to report) and the obligation to comply with the supervisory authority designated by the directive (supervisory duty).
In Greece, the executive law adopting the NIS2 Directive ( Law 5160/2024) has been published on November 27, 2024. The national legislation distinguishes between the management responsibility of public and private companies (essential and important entities) by mentioning specific compliance obligations for private companies and vaguely referring to the existing rules detailing the responsibilities and penalties for public employees and elected representatives in the public sector, which will continue to apply. Management in both sectors (public and private) have a three-month period to decide and present the appropriate cybersecurity measures that the affected entities must take to ensure compliance with the directive and the national law.
Moreover, the new law specifies that if a reportable incident within the scope of NIS2 constitutes a data breach under the General Data Protection Legislation, the incident must be reported to the National Data Protection Authority. If a fine is imposed by the Data Protection Authority for a data breach that constitutes a reportable incident under NIS2, the National Cybersecurity Authority shall not impose additional administrative fines for the same incident. Affected entities must follow a detailed step-by-step plan to prepare for the implementation of the new European legislation. To this effect, they will need to engage top management and key stakeholders to allocate budget and resources, identify critical security processes, services, and assets through a company-wide Business Impact Assessment (BIA), implement a risk and information security management system (indicatively ISO 27001 or NIST) aimed at identifying, managing and monitoring the company’s information security risks, and ensure that responsibilities are defined and key processes are operational (indicatively incident handling, business continuity and disaster recovery plans are in place).
The new European cybersecurity legislation has already come into force on October 18, 2024, however, the vast majority of affected organizations have not even begun to prepare for it. The awareness of stakeholders and staff on cybersecurity practices through the design and implementation of security management systems is critical for the successful enforcement of this important piece of legislation in the EU. Only through this awareness can the key success factor of embracing cybersecurity as a key survival element for an organization in the new digital era finally come to life.
By John Giannakakis, Head of Data & Digital, Drakopoulos
This article was originally published in Issue 11.11 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
