The NIS2 Enigma: who will be caught by the EU’s updated cyber requirements?
The arrival of NIS2 is only one year away. With significantly enhanced requirements around cybersecurity management extending across the supply chain, increased reporting obligations in the case of cyber breach, and personal liability for senior management, working out whether or not an organisation will be in scope for NIS2 will be an important question, instigating possible months of preparations if the answer is yes. NIS2 has increased the number and type of sectors to which former NIS1 rules will apply, but the question of NIS2’s application will also depend on an organisation’s size and where it offers its services.
Unpacking the scope and territoriality rules under the NIS2 Directive
One year from now – on 17 October 2024 – the implementation deadline of the second Network and Information Systems (“NIS2”) Directive will be upon us. As the countdown to that deadline begins, many organisations will be looking to determine the all-important question: Are we caught by NIS2?
Having substantially enhanced the cybersecurity obligations on in-scope entities from those found under the first NIS Directive, including enhanced reporting obligations, personal liability for management bodies and broad supply chain impacts, being caught by NIS2 is not a something an organisation can take lightly. For those in scope, preparation will be key to ensuring cyber standards are up to scratch, supply chains are ready and an organisation’s executive can stand by their cybersecurity measures.
What is NIS2?
Part of the EU’s Cybersecurity Strategy, NIS2 repeals and replaces the original NIS Directive which entered into force in 2016 (with Member State implementation by 9 May 2018). Much like its predecessor, it establishes measures for a common level of cybersecurity for critical services and infrastructure across the EU. Recognising the ever-growing threat which cyber-crime poses for the economic and societal stability of the Union, NIS2 aims to harmonise cyber-resilience through the following obligations:
- Ensuring appropriate and proportionate cybersecurity risk management measures are in place following an “all-hazards” approach which is proportionate to risk, entity size, the likelihood of a security incident and the severity of economic/social impact were it to happen. Notably, and unlike its NIS1 predecessor, the cost of implementation can be taken into account when determining what measures are appropriate and proportionate.
- Supply chain diligence – as part of assessing its own cybersecurity measures, an in-scope organisation must now assess and assure the cybersecurity practices of its supply chain including how cybersecurity obligations are driven by contractual mechanisms.
- Three-stage reporting obligations upon the occurrence of a “significant incident”[1] – the first report required will be an early warning within 24 hours of first awareness. This should be followed by a second, more comprehensive notification within 72 hours, and a more detailed report within one month of the initial notification.
- Executive approval and oversight – management bodies of in-scope entities must both approve and oversee the implementation of its cybersecurity risk management measures. They will be personally liable to any fines which might result from a breach. NIS2 also gives supervisory authorities the power to suspend relevant management functions pending implementation of measures to address any breach. Management bodies are also required to undertake and follow training on cybersecurity measures, and offer similar training to their employees on a regular basis.
- Enhanced supervision and enforcement – these can be grouped into powers of audit and inspection, enforcement and temporary suspension of management obligations/ relevant security certifications. The award of fines will be in addition to other enforcement measures, and can reach a maximum €10 million/ 2% of total global annual turnover for Essential Entities, and €7 million/ 1% for Important Entities.
Who is in scope for NIS2? Unpacking the three-limbed criteria
The reach of NIS2 is significantly wider than its predecessor. No longer applying solely to “Operators of Essential Services” and “Digital Service Providers”, NIS2 has been expanded to include a greater number of named sectors including: managed service providers, social media, waste management, medical device manufacturers, postal services, food, space (as in rockets, not storage), chemical distribution and public administration services.
The main determining factor of whether an entity is in scope will be whether it falls within those sectors specifically called out in the Directive. But that may not be determinate, as a listed entity must also meet a size threshold and be providing services or carrying out activities in the EU for NIS2 to apply.
There are consequently three criteria determining whether or not an entity is in scope for NIS2:
- Entity is a sector listed in Annexes I and II
- Entity meets or exceeds the definition of Medium Sized Enterprise or is otherwise in scope regardless of size
- Entity provides services or carries out activities in the EU
Does my organisation fall within a sector listed in Annex I or II?
NIS2 will only apply to those entities falling within Annexes I and II of the Directive. Annex I lists those entities characterised as “Sectors of High Criticality” while Annex II lists “Other Critical Sectors”. The distinction between Annexes has less impact than the further classification of in-scope entities into “Essential Entities” and “Important Entities”. It is this latter distinction which will then determine the level of supervision and enforcement which will apply to the relevant entity. For example, enforcement measures are applied ex post or “after the event” with respect to Important Entity breaches, while for Essential Entities, supervisory and enforcement measures are expected to be more proactive.
The general rule however is that Annex I sectors will tend to be “Essential Entities” and Annex II will be “Important Entities”. However, the correlation is not always true. For example, Member States have the power to characterise sectors in both Annexes I and II as either “Essential” or “Important” regardless of their size, and government public administration will always be regarded as “Essential”. What becomes clear, therefore, is the importance of Member States, not only in their implementation of the Directive, but also in determining which entities will be in-scope, and how they are classified.
The Annex I sectors can be broadly described as those providing services in: energy; transport; banking; financial market infrastructure; healthcare providers (including manufacture of basic pharmaceutical products and manufacturing medical devices considered critical during a health emergency); drinking water; waste water; digital infrastructure; IT service management (B2B); public administration; and space.
Annex II entities are those providing: postal courier services; waste management; manufacture, production and distribution of chemicals; production, processing and distribution of food; and the manufacturing of medical devices, computer, electronic and optical products, electrical equipment, machinery, motor vehicles and other transport equipment (all as defined in section C of NACE).
Does my organisation meet or exceed the size threshold?
In order to be considered in scope for NIS2, an entity must meet or exceed the ceilings for medium-sized enterprises (“MSE”) as defined under Recommendation 2003/361/EC.
Article 2 of the Annex to that Recommendation defines “MSE” as enterprises “which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million” (emphasis added). In order to qualify as a MSE, a relevant organisation must therefore satisfy both the staff number criteria and the turnover criteria. There is intentional flexibility built in around whether the turnover or the balance sheet is seen as the indicator of status, but that one such financial indicator should always be combined with the staff criterion.
The Recommendation also takes into account an organisation’s relationship with certain “linked” or “partner” enterprises for the purposes of assessing the MSE status (see Article 3 of the Annex to the Recommendation and recital 9 in particular). Therefore, if a small organisation, which otherwise falls below the staff and turnover/ balance sheet criteria is nevertheless linked to another organisation by virtue of factors such as parent company or joint shareholder voting rights, or the exercise of dominant influence over a linked or partner enterprise, it may qualify as a MSE for NIS2 purposes.
Does my organisation provide services or undertake activities in the EU?
Under the final limb of the scope criteria, NIS2 will apply only to those entities who provide services or undertake activities in the EU. This is a narrower test than GDPR, which can catch organisations by virtue of establishment alone, irrespective of whether the target activity – in that case processing of personal data – takes place in the Union or not.
The outcome of this narrower scope appears to mean that in a model where a global organisation has a parent company outside of Europe and subsidiaries within the EU, only the individual entity physically providing services or undertaking activities in the EU will be caught. However, cyber risk management requirements will apply to the entire supply chain as part of the broader obligations on in-scope entities. As a result, parent companies outside of the EU may still be caught.
It is also worth noting the rules on jurisdiction and territoriality contained in Article 26. These rules deal with establishment but only for the purposes of determining under which Member State jurisdiction an in-scope entity will fall. This could be important, especially since Member States may interpret and implement the Directive differently, and indeed are permitted to exceed its baseline standards when implementing NIS obligations into Member State law. Member States will also be key to determining which entities will be in scope for NIS2 within their jurisdictions and therefore who will be under the watchful eye of their regulators.
Is there a materiality criteria for the application of NIS2?
One final factor to consider is whether or not the services caught by NIS2 are sufficient to trigger application of the Directive when they constitute a minor part of an organisation’s overall offerings. For example, if 95% of an organisation’s services are not listed in Annex I or II of the Directive (or are otherwise not provided within Europe), but 5% of its services are of a nature that they are caught by Annex I or II (or provided within Europe), will that 5% be sufficient to bring the whole organisation into the scope of NIS2?
The simple answer is that there doesn’t appear to be a materiality criteria for the application of NIS2. The scope of the Directive is determined by the three factors stated above. While the size of the entity is therefore a factor, the proportion of its business activities, in so far as there are various, does not appear to be relevant. Rather this is something of an all or nothing question: If, as an entity, you distribute chemicals as listed in Annex II, you are an entity in scope for NIS2 (assuming the MSE and EU activities criteria are also passed).
The result is that this will invariably come down to a risk assessment, by an organisation, around the applicability of NIS2. If a mere 5% of its business is in scope, is that enough to attract the attention of a Member State regulator if NIS2 is not being complied with?
Here, it is important to remember that under Article 3(3), it is Member States who will ultimately have the final say over which organisations they will include on a Member State’s list of Essential and Important entities falling within their jurisdiction. This list must be provided to the EU Commission by 17 April 2025.
We do not yet know how each Member State will come to pull this list together, and guidance around Article 3 NIS2 published by the EU Commission on 13 September 2023[2] did little to clarify the matter. There is of course the very high possibility that Member States will interpret NIS2 differently, resulting in lists which look very different from one jurisdiction to another. The result is that to some extent, the decision of applicability may be outside of an organisation’s control, and it will be interesting to see whether any form of appeals process may be put in place where an organisation does not agree with a Member State’s determination.
Direct and indirect application
For entities that do not directly fall within the scope of NIS2, the application of NIS2 to an in-scope entity’s supply chains may mean that an organisation finds itself indirectly impacted by the legislation in a way which is almost as significant as being directly in scope. This might be the case, for example, for organisations in the UK who do not provide services within the EU but are nevertheless in the supply chain or businesses who do. It could equally be the case for a small SME who has otherwise fallen outside of NIS2 by virtue of the size criterion mentioned above.
Under NIS2, in-scope entities must now assure the cyber-reliance of its supply chain when implementing its own cybersecurity risk management measures. The Directive does not provide a lot of detail on how this translates into practical assurance measures, although reference is made to the contractual mechanisms used to obtain legally enforceable guarantees of a supplier’s cybersecurity measures. Supply chain organisations might therefore expect to see enhanced contractual obligations relating to their security stance, but also increased rights of due diligence and audit in favour of the customer/ in-scope organisation.
Additionally, since supply chain organisations might also be key to facilitating the in-scope entity’s compliance with NIS2 reporting requirements, we are also expecting to see more exacting requirements making their way into contracts which require supply chain businesses to provide timely and detailed reporting, together with ongoing assistance, with respect to security incidents meeting the reporting threshold. While these obligations may not be novel in the age of GDPR security reporting, it should be remembered that NIS2 reporting will apply to cyber incidents more broadly, and not just those impacting on personal data.
Conclusion – Is an organisation in scope for NIS2? Member States may yet have the final word
The scope of NIS2 is far from straightforward, and for any organisations left pondering the application of NIS2 to their businesses, clarity is likely to come when Member States get involved.
Not only will Member States have until 17 October 2024 to transpose the Directive into their national law, but as discussed above, they are also required to produce a list of Essential and Important entities to whom they consider NIS2 applies. However, the deadline for doing so is 17 April 2025, some 6 months after the implementation deadline, which could mean further uncertainty for those organisations unclear on the application of NIS2 when it first becomes national law.
There is however likely to be a degree of consultation between in-scope organisations and Member States – Article 3(4) NIS2 for example recommends Member States operate a self-registration portal for those entities who believe they are in scope, and suggests that a degree of consultation between Member States and target entities will be likely. It isn’t however clear whether Member States will offer an appeals process for entities who do not agree with a Member State’s determination that they are in scope for NIS2. There is also every possibility that an organisation operating across multiple Member States could find themselves in scope of NIS2 in one Member State, and not in another.
All this means that for organisations on the fringes of NIS2, the question of its application remains unclear. In such circumstances, organisations should consider preparing as though NIS2 will apply – in addition to the risks of fines and enforcement under NIS2, taking pre-emptive action by, for example, improving cyber security management, and the awareness of cyber risks at a senior management levels is an opportunity for organisations to build customer trust, strengthen market position and minimise the risks of cyber-attacks occurring.
For advice on whether or not your organisation is likely to fall under NIS2, please contact the author or your usual DLA Piper contact.
[1] Defined as an incident “causing or being capable of causing severe operational disruption of services or financial loss or has affected or is capable of affecting natural or legal persons by causing considerable material or non-material damage”.
[2] Commission Guidelines on the application of Article 3(4) of Directive (EU) 2022/25555, C(2023) 6070, 13 September 2023