Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
EU: New EU cyber laws and NISD2 - key points to know
The EU has recently adopted several new cyber laws that impose detailed cybersecurity requirements and, in some cases, can hold senior management personally liable, as well as significant fines for non-compliance. These new cyber laws include: (i) the Network and Information Systems 2 Directive (NISD2); (ii) the Digital Operational Resilience Act (DORA); (iii) the Cyber Resilience Act (CRA); (iv) the Critical Entities Resilience (CER) Directive; and (v) the Cybersecurity Act.
These new cyber laws are game changers, requiring businesses operating in the EU to examine their cybersecurity processes, update their incident reporting plans, and review their interactions with vendors and other third parties. Crucially, senior management is now responsible for compliance, necessitating businesses to evaluate their exposure, and implement the required measures.
In the first article in this series on the new EU cyber laws, William Long and Francesca Blythe, from Sidley Austin LLP, focus on NISD2, which will be enforceable from October 18, 2024.
What is NISD2?
NISD2 aims to establish a harmonized minimum level of cybersecurity across the EU, replacing the Network and Information Systems Security Directive. As cyber threats become more frequent and complex, with businesses increasingly relying on digital infrastructure, artificial intelligence (AI) tools, and data, the importance of cybersecurity grows. NISD2 enhances the level of cybersecurity, as a key pillar of the EU's digital market strategy. It complements existing data protection and privacy laws (e.g., the General Data Protection Regulation (GDPR)), and sector-specific legislation - which may also provide for cybersecurity requirements and/or incident reporting requirements (e.g., DORA, which applies to organizations in the financial services industry).
Who will NISD2 apply to?
NISD2 applies to organizations in so-called 'essential' or 'important' sectors including, energy, transport, financial markets, health, digital infrastructure, ICT service management, public administration, and space.
It is important to note that: (i) the health sector includes certain laboratories, entities carrying out research and development on medicinal products, and entities manufacturing pharmaceutical products and medical devices; (ii) the digital infrastructure sector includes Domain Name System (DNS) service providers, TLD name registries, cloud computing providers, data center providers and providers of electronic communications networks and services; and (iii) the ICT service management sector includes managed service providers and managed security service providers.
Importantly, NISD2 has extraterritorial reach, meaning that both organizations established inside the EU, and those outside the EU who provide their services in the EU, are subject to its onerous requirements.
Personal liability for senior management
One of the most significant aspects of NISD2 is the personal liability it imposes on senior members of staff who fail to adequately implement the cybersecurity risk management measures in line with NISD2. Senior management can be subject to administrative fines or other penalties including a suspension from exercising managerial functions.
New cybersecurity risk management measures
NISD2 (and its implementing regulations) mandates minimum cybersecurity measures, including:
- internal risk and IT security policies;
- incident handling procedures;
- business continuity measures (e.g., disaster recovery);
- supply chain security measures and measures related to securing network and information systems acquisition, development, and maintenance;
- policies and procedures to assess the effectiveness of cybersecurity measures as well as basic cybersecurity hygiene and staff training;
- HR security, access controls, and secure communication channels; and
- the use of multi-factor authentication or continuous authentication solutions and secure communication channels.
New and increased incident reporting
Organizations must notify the competent EU Member State authority, and their customers, of any cyber incident with 'significant impact,' meaning incidents which have:
- caused or are capable of causing severe operational disruption or financial loss for the entity; or
- affected or are capable of causing considerable material or non-material damage to other (natural or legal) persons.
The statutory incident reporting timelines are stricter than the GDPR and are layered as follows: (i) a first 'early warning' to the competent authority within 24 hours of becoming aware of the incident; (ii) followed by a formal incident notification within 72 hours; and (iii) a final report one month after the submission of the formal incident notification. The competent authority can also compel entities to make public certain information about the incident, or the authority can choose to issue a public statement on the incident itself.
EU representatives and registration
NISD2 requires that DNS service providers, top-level domain (TLD) name registries, managed service providers (MSP), and cloud providers who are subject to it by virtue of its extraterritorial application, designate a representative in the EU as a contact point for cyber incidents or requests from competent authorities.
In addition, the European Union Agency for Cybersecurity (ENISA) will create and maintain a pan-EU registry of DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, and MSPs/managed security service providers (MSSP) on the basis of information received from the Single Point of Contact (SPoC) and the EU Member States.
The SPoCs are required to provide to the competent EU Member State authorities, by January 17, 2025, relevant details on the company including the name of the entity, relevant sector, sub-sector and type of entity, the address of the main and other establishments and EU representative, contact details, and the Member States where the company provides services. Competent authorities are able to access this registry with approval from the ENISA.
What are the sanctions for non-compliance?
EU Member States will define penalties, which must be effective, proportionate, and dissuasive. Maximum fines must be set at the higher of €10 million or 2% of total worldwide turnover. Other sanctions include temporary service suspension, public disclosure of infringements, and injunctions to immediately cease infringing conduct.
How much time do companies have to comply and steps to consider?
NISD2 entered into force on January 17, 2023, and must be implemented by EU Member States by October 17, 2024.
Businesses should consider:
- assessing whether they fall within the scope of NISD2;
- reviewing and implementing required cybersecurity measures; and
- developing risk mitigation strategies under NISD2.
NISD2 provides that administrative fines for non-compliance should be at least €10m or 2% of total worldwide turnover - and unlike similar other EU legislation, does not provide for a maximum amount - allowing EU Member States to administer higher fines as appropriate.
William Long Partner
[email protected]
Francesca Blythe Partner
[email protected]
Sidley Austin LLP, London
The views expressed in this article are exclusively those of the authors and do not necessarily reflect those of Sidley Austin LLP and its partners. This article has been prepared for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.