By Ariel Yosefi, Dan Shalev, Michal Kra & Yuval Glezer

General

Early in 2023, the Network and Information Security Directive 2022/2555 (“NIS2“) was enacted and replaced the previous cybersecurity Directive 2016/1148 (also known as the NIS Directive).

NIS2 demonstrates a wider effort from the European Union to increase cyber resilience across Europe. The scope of NIS2 has expanded beyond the previous directive, now covering a broader range of industries and services providers which, according to the EU legislators, are essential to the supply chain of critical infrastructures. These include, inter alia, cybersecurity companies, trust service providers, cloud computing services, digital providers (e.g., online search engines, online marketplaces and social networking platforms), and digital infrastructure providers (such as, DNS services and content delivery networks).

Under the new directive, member states have by 17 October 2024 to adopt and publish the measures necessary to comply with the directive , which would apply the day after. Currently, only 3 countries (Belgium, Croatia and Hungary) have adopted a national implementation act, and other member states are in different stages of the legislation process.

Scope of Application – Essential and Important Entities

NIS2 applies to two categories of entities: “essential entities” and “important entities“, which are determined based on the sector where such entities operate and their size (which is comprised of the number of employees and annual revenue or annual balance sheet. However, even if an entity does not meet the size threshold, it can still be designated as essential or important in limited circumstances, such as where the entity is the sole provider in a member state of a service that is critical to societal or economic activity).

The categorization is based on the criticality of the services provided and the potential impact of a cybersecurity incident. Essential entities typically operate in sectors like energy, health, transport, and banking, where disruptions can have widespread societal and economic consequences. Important entities, while still vital, have a lower risk profile but are nonetheless significant to overall digital security.

Under the new directive, the primary distinction between essential and important entities lies in the level of regulatory oversight applied to each. Essential entities are subject to proactive supervision, including regular audits and compliance checks, while important entities face reactive supervision, with authorities intervening primarily when non-compliance or incidents occur. Additionally, penalties for non-compliance are higher for essential entities, reflecting their greater impact on critical infrastructure.

The following table provides a high-level overview of the application of NIS2 to each sector, according to its size.

The classification of the size of an entity is determined by its annual turnover, annual balance sheet total and the number of employees, according to the criteria detailed in the directive.

Obligations Under the Directive

Under the new directive, EU member states should implement, among others, the following principles:

Cybersecurity risk management measures: NIS2 requires member states to ensure that essential and important entities implement proportionate technical, operational, and organizational measures to manage security risks in their network and information systems. These measures shall include at least the following:

• Risk analysis and information system security policies;
• Incident handling;
• Business continuity (such as backup management, disaster recovery and crisis management);
• Supply chain security (including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers);
• Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
• Policies and procedures to assess the effectiveness of cyber risk management measures;
• Computer hygiene practices and cybersecurity training;
• Policies and procedures for cryptography and encryption;
• Human resources security, access control policies and asset management;
• Use of multi-factor authentication and secure communication systems.

Member states are also required to ensure that the management of essential and important entities shall approve the cybersecurity risk management measures, oversee their implementation and may be held liable for any infringements.

Reporting obligations: Member States are required to ensure that in cases of a significant incident (as defined under the directive), entities notify states’ designated teams to handle cybersecurity incident (which are referred to in the directive as computer security incident response teams or “CSIRTs“) or, where applicable, the competent authority. The directive sets out the timeframes for notifying CSIRTs and the specific details of such notification.

Member states are also required to ensure that entities notify to recipients of the service that are potentially affected by a significant cyber threat on any measures or remedies that those recipients are able to take in response to that threat or of the significant cyber threat itself.

Registry of entities: A European agency shall create and maintain a registry of several service providers, including DNS, TLD name registries, cloud services, managed security service providers and others. This registry will be based on information from member states’ single points of contact.

By 17 January 2025, entities shall be required to provide the applicable authorities with the following details: entity name, sector, address, contact details, member states where services are provided and IP ranges. EU member states have until April 2025 to establish a list of essential and important entities.

Jurisdiction: Entities are generally subject to the jurisdiction of the member state where they are established. However, there are specific exceptions, such as:

• Providers of electronic communication services fall under the jurisdiction of the member state where they provide their services.
• Entities like DNS providers, TLD registries, cloud computing, data centers, online marketplaces, search engines, and social networking platforms fall under the jurisdiction of the member state where they have their main establishment in the EU. If the location of the main establishment cannot be determined, the jurisdiction depends on where decisions related to cybersecurity risk management or operations occur.
• Non-EU established entities: If an entity is not established in the EU but provides services within the union, it must designate an EU representative. Jurisdiction then falls to the member state where the representative is established.

Enforcement

Essential entities are exposed to stricter enforcement measures than important entities, including higher penalties for non-compliance, of up to EUR 10 million or 2% of global turnover.

Important entities face a lower penalty threshold of up to EUR 7 million or 1.4% of global turnover.

Companies providing the services outlined above should carefully review these requirements to ensure compliance with the NIS2 directive. Adopting appropriate measures can help avoid potential penalties and ensure robust cybersecurity practices. Please feel free to contact us if you have any questions or need guidance on how these regulations might impact on your company’s operations.