Network and Information Systems (NIS II) Directive

The Network and Information Systems Directive (Directive EU 2022/2555; “NIS II Directive“) is aimed at strengthening the level of cybersecurity across the EU in sectors that are central to the functioning of society, such as energy, health, digital infrastructure, and ICT service management. It updates the cybersecurity rules of the NIS I Directive from 2016 and broadens the scope to new sectors and businesses.

What does this mean?

  • Entities covered by the NIS II Directive will have to assess and manage the risks to the security of their communication networks and information systems, including implement appropriate and proportionate security measures, perform due diligence to the supply chain, and report significant anomalies and incidents.
  • Management bodies of essential and important entities are required to approve risk-management measures and oversee their implementation and compliance. These management bodies can be held liable for infringements.
  • The Act also aims to improve EU Member States’ preparedness and requires each Member State to have appropriate cybersecurity strategy, authorities, and crisis management frameworks. For example, each Member State must designate one or more competent authorities responsible for cybersecurity related matters (and if multiple authorities are designed, name a single point of contact) as well as computer security incident response teams (CSIRTs). In addition, the NIS II Directive enhances cooperation among the Member States, e.g., by setting up a cooperation group to support and facilitate strategic cooperation and exchange of information.

Who?

  • The NIS II Directive applies to essential and important entities, e.g., in the following industries that are vital for the EU economy and society and that rely heavily on ICT: energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, ICT service management, space, postal and courier services, waste, food, research, medical devices, and electronic products.
  • Essential entities include entities in specified industries that are e.g. (i) medium-sized enterprises, (ii) trust service providers, top-level domain name registries, or DNS service providers, regardless of size, (iii) providers of public electronic communications networks or of publicly available electronic communications services qualifying as medium-sized enterprises, and (iv) entities identified as critical entities under the CER Directive.
  • Other entities in specified industries are considered important entities.

Consequences

  • Non-compliance with national legislation implementing the NIS II Directive in a Member State can lead to sanctions, such as an order to comply, a warning, or administrative fines. For essential entities, the administrative fines may be up to €10 million or 2% of global annual turnover, whichever is higher, and for important entities, up to €7 million or 1.4% of global annual turnover.
  • Monitoring and enforcement are the responsibility of the national NIS II authorities in each Member State.

Timeline

  • The NIS II Directive entered into force on 16 January 2023. Member States have until 17 October 2024 to transpose the Directive into national law.