Under the original NIS Directive, the specific obligations faced by an organization varied depending on whether the organization was classified as an “operator of essential services” or a “digital service provider.” Operators of essential services are subject to stricter rules. The term includes organizations that operate critical infrastructure across sectors such as energy, transportation, health, and digital infrastructure. A lighter touch regime has been applied to digital service providers, a term that has been applied to search engines, online marketplaces and cloud computing providers.
NIS2 maintains a layered regulatory system with some significant changes.
Under NIS2, organizations classified as “essential entities” are subject to the strictest requirements and the most comprehensive regulatory oversight. This may include on-site inspections and targeted independent security audits.
Most organizations classified as “essential service operators” under the original NIS Directive may be classified as “essential entities” under NIS2. However, the concept of ‘essential entities’ is broader and covers many organizations not previously covered by the NIS scheme, such as pharmaceutical companies and operators of hydrogen production, storage and transportation.
Similarly, the concept of “essential entity” has also been extended to some companies that may have hitherto been subject only to the lighter touch framework under the original NIS directive as digital service providers. Applies. This is the case, for example, with cloud computing providers. Other technology providers such as data center service providers, managed service providers, and content delivery network providers are also classified as “essential entities” under NIS2.
The light touch regime under NIS2 applies to “significant entities”. In particular, organizations classified as “significant entities” will face less onerous recordkeeping obligations regarding the cybersecurity measures they must take to comply with the law.
The concept of a “significant entity” captures not only the providers covered by the original NIS Directive, but also other categories of rafting organizations. This includes computer and automobile manufacturers, food manufacturing and processing companies, chemical companies and waste management companies.
There are certain exceptions listed in NIS2, but generally the scope of the law meets the definition of essential or material entities with at least 50 employees and/or an annual turnover of at least €10 million Limited to organizations.
Organizations covered by the NIS2 regime shall have “adequate and proportionate technical, operational and organizational prevent or minimize the impact of the incident on service recipients and other services.”
Certain cybersecurity measures authorized by law include risk analysis and information system security policies, incident handling policies, access control policies, and the use of multi-factor or continuous authentication solutions. Supply chain security must also be considered. This includes vulnerabilities “specific to each direct supplier and service provider” and “the overall quality and cybersecurity practices of the supplier and service provider’s products, including secure development procedures.”
The “controlling authority” must “approve the cybersecurity risk management measures taken” and supervise their implementation. Individuals at these agencies may be personally liable if the organization fails to comply with its legal cybersecurity obligations.
The exact cybersecurity measures that each organization must take to comply with its legal obligations under NIS2 depend on its size, exposure to risk, likelihood of incidents and their severity, and technology or It depends on factors such as availability and cost of implementing an international standard. .
NIS2 also established new cybersecurity incident reporting rules. Incidents with a “significant impact” on in-scope services should be notified to the national Computer Security Incident Response Team (CSIRT) or regulatory authority.
NIS2 defines the meaning of a “serious” incident. These are incidents that have caused or may cause significant operational disruption of the service or financial loss to the entities involved. or has affected or may affect another natural or legal person by causing serious material or immaterial damage.
Under this Directive, a phased approach to incident notification is provided.
“Early warning”, indicating whether an incident is suspected to have been caused by illegal or malicious activity, or whether it may have cross-border impact, shall be given without delay, and at the latest, 24 hours after the incident’s awareness. You must notify us within The second report must be submitted without undue delay and in any event within 72 hours. This report contains an update of the initial information provided and provides an initial assessment of the incident, including the severity and impact of the incident. compromise”.
The final report must be submitted within one month of the second report being shared. A CSIRT or regulator can request an interim report with “relevant status updates”. The final report should include a detailed description of the incident including severity and impact. The type of threat or root cause that likely caused the incident. Applied and ongoing mitigation measures; Cross-border consequences of the incident, if applicable. If the incident is in progress at the time the final report is due, you must instead submit a progress report and submit the final report within one month of the issue being dealt with.
The European Commission is obliged to adopt specific implementing legislation that supplements the provisions of NIS2. These include the conduct of conduct for cloud computing providers, data center providers, content delivery network providers, managed service providers, and providers of online marketplaces, online search engines, social networking service platforms, and when an incident is considered. Specifies when Subject to reporting requirements because it is “significant”.
Essential entities can be fined up to €10 million or 2% of the organization’s global annual turnover, whichever is higher. For significant entities, the equivalent threshold is €7 million plus 1.4% of turnover.