Due to the increased threat of cyberattacks and the need to ensure resilience in key sectors the European Parliament have adopted the Network and Information Security Directive 2.0 (NIS2). The Directive requires European Union (EU) member states to implement national laws on cyber risk management effective from no later than 17th October 2024.
NIS2 expands significantly on the original NIS Directive which came into force in 2018 bringing within its scope many more sectors and organisations. Sectors covered by NIS2 are highlighted below:
For the most part the NIS2 Directive is applicable to any organisation that provides services or undertakes business in the EU in the sectors listed above. This is subject to it also meeting the threshold for a medium-sized enterprise as defined by the EU, i.e. it has at least 50 employees or achieves an annual turnover or an annual balance sheet total of more than EUR 10 million. It should also be noted that where an organisation acts solely as a supplier to an EU company, it may still be indirectly impacted by NIS2 via the Directive’s supply chain requirements.
The cyber risk management requirements and levels of fines for non-compliance of NIS2 are linked to whether the organisation is classified as either an ‘Essential Entity’ or an ‘Important Entity’. Very much in summary, an ‘Essential Entity’ is one that is within a sector identified as being in the high criticality category (refer above) and has at least 250 employees or an annual turnover over EUR 50M and annual balance sheet total of over EUR 43M. Most other organisations are classified as an ‘Important Entity’, however it should be noted that there are some exceptions to this general ‘rule of thumb.’
Requirements under NIS2 include Essential and Important Entities taking appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information system. This includes:
- Policies on risk analysis and information system security
- Incident handling
- Business continuity, such as backup management, disaster recovery and crisis management
- Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
- Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies and procedures regarding the use of cryptography and where appropriate, encryption
- Human resources security, access control policies and asset management
- The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate
NIS2 also requires Essential and Important Entities to report significant incidents to the CSIRT (Computer Security Incident Response Team) or competent authority.
Fines for breaches of NIS2-related legislation are up to a maximum of EUR 10 million or 2% of the total worldwide annual turnover for Essential Entities, and EUR 7 million or 1.4% of the total worldwide annual for Important Entities.
It is recommended that relevant organisations review their cyber risk management arrangements in light of this new Directive. Further information on the NIS2 Directive is available here.
Griffiths & Armour can conduct Cyber insurance assessments to aid the understanding of cyber risk exposure to inform the insurance risk transfer strategy. Further cyber risk and cyber incident response guidance supplemented by template policies and plan documentation plus e-learning is available via RMworks, which is available to all Griffiths & Armour clients.
For further information and support, please get in touch.