Adopted in November 2022, the NIS 2 Directive represents a significant advancement in cybersecurity at the European level. Its objective is simple yet ambitious: to strengthen cybersecurity measures for all Member States by establishing a common set of security standards to mitigate the risk of cyberattacks.
The desire to improve and standardise the overall level of cybersecurity within the EU is not new. Indeed, since 2015, the European Commission has been evolving the single economic market into a single digital market. This includes creating an environment conducive to the development of secure digital networks and services.
Behind this Directive lies, implicitly, public and private organisations concerned about the economic and organizational repercussions brought about by the strengthened security measures. To better understand the expectations and stakes of this Directive, without succumbing to panic, we have conducted a legal analysis of its key points so that you can anticipate the deadlines set forth.
1. European Directive: what is it about?
A Directive and a Regulation are two types of EU legislation. They differ in their nature, application, and the degree of flexibility granted to Member States to implement them.
A European Regulation is a legislative act that is directly applicable uniformly and obligatorily in all Member States upon its entry into force. It does not require additional national legislation to be applied. Regulations are often used to harmonise laws and rules, thus ensuring a coherent legal framework across different domains. This is the case with the General Data Protection Regulation (GDPR), which regulates the processing of personal data within the EU.
On the other hand, a European Directive is a legislative act that sets an objective or result to be achieved by the Member States. Unlike a Regulation, a Directive is not directly applicable in the EU. This means that Member States must adopt their own national legislation to implement the objectives set out in the Directive within their own legal system. This mechanism is called transposition. It is a crucial element of the European legislative process as it aims to ensure the harmonisation and consistency of regulations within the EU.
Member States generally have some discretion in how they achieve these objectives, as long as they comply with the requirements of the Directive. It may involve the adoption of new laws, additional national legislative acts, or the amendment of existing laws to comply with the provisions in the text. It is important to note that Member States are required to transpose the legislation within a specified deadline. Failure to comply with this obligation may result in sanctions or legal proceedings against the Member State concerned.
Thus, depending on your location, you will be required to apply the transposition law of the country in which you conduct your activities. It is possible that certain measures may differ or be strengthened from one Member State to another.
2. Am I affected by the Directive?
You need to consider four scenarios:
- Your sector or sub-sector of activity is explicitly mentioned in Annexes 1 and 2 of the Directive, and you meet the size criteria. In this case, you will be affected by the NIS 2 Directive. You can already assess your internal security level and conduct an initial gap analysis against the obligations arising from the European text.
- Your sector or sub-sector of activity appears in the annexes in a non-explicit manner, or in multiple categories, or in categories subject to interpretation. In your case, it is preferable to await the national law that will lift your doubts, as it will clarify the scope of application through the transposition law.
- Your sector or sub-sector of activity does not appear in the annexes, and you do not meet either the size or criticality criteria. You may still be part of the exceptions. Therefore, you will need to await the work on the transposition law.
- Your sector or sub-sector of activity appears in Annexes 1 and 2 of the Directive, yet you may still be exempt from applying the Directive if you engage in activities related to defense and national security.
3. Legal and security obligations
The Directive lists various obligations to be implemented, which will be further elaborated during transposition. You can find some of the obligations related to the security of information systems in the following article: How to prepare for the NIS 2 Directive?
As an example, one point of attention is placed on hosting information systems in the cloud. While the use of this technology is not prohibited by the Directive, companies will need to ensure that the information stored therein is protected and secured. It will be necessary to consider whether it will be possible to retain all data regardless of their sensitivity level, by employing encryption, or if this will be prohibited. The question of selecting cloud service providers also arises. It is likely that a risk analysis and impact assessment will be required to classify, trace the data flow, and allocate responsibility in the event of a security incident and/or personal data breach.
In addition to security obligations, you will be required to register and declare certain information requested by the NIS 2 Directive to the competent authority, such as the Centre for Cybersecurity Belgium (CCB).
4. Which authority should I contact?
In the context of compliance, national cybersecurity coordination centres will ensure to support organisations in implementing security measures and provide clarification on regulations. These authorities will be responsible for monitoring and sanctioning organisations. For more information, please refer to your national centre: National Cybersecurity Coordination Centres.
You can also turn to Alter Solutions to implement a dual action: protecting your information systems and protecting the personal data processed by your organisation.
5. Is the NIS 2 Directive compatible with other regulations?
One of the sensitive points of transposition is the articulation of cybersecurity measures. The objective of national cybersecurity coordination centres will be to standardise norms to avoid adding complexity, promote text coherence, and prevent norm stacking. In France, for example, ANSSI works with the CNIL to avoid creating additional regulatory complexity regarding the GDPR and allow both legislations to coexist.
Additionally, the Directive does not explicitly mention the role of Data Protection Officers (DPOs). However, it will be necessary to consider that these functions require cooperation between the DPO and the CISO (Chief Information Security Officer) within your organisations to optimise and mutualise their respective skills.
6. What about the financial cost for organisations?
The resources allocated to implementing security measures under the NIS 2 Directive can be costly. However, they will depend on your current level of cybersecurity maturity. At the moment, there are no plans for national cybersecurity coordination centres to provide financial assistance in this regard, but they will offer tools, guides, and recommendations to reduce the financial costs involved.
Nevertheless, it is important to keep in mind that the text highlights a fundamental notion: proportionality. Thus, the requirements will vary depending on the size, criticality, and sector of activity of your organisation. In case of inspection, you will need to demonstrate that you have implemented necessary and sufficient means to justify the security of your information systems.