The NIS2 Directive: How far does it reach?

The NIS2 Directive is one of the most recent efforts of the EU legislator to boost cybersecurity across the bloc and to keep up with the challenges of an increasingly digitalized society and growing cyber threats.

As the name implies, the NIS2 Directive is not the EU’s first attempt to implement harmonized cybersecurity rules at EU level. It follows a previous legislative effort with similar objectives, the NIS Directive.

That said, when comparing the NIS2 Directive with its predecessor, it is clear that the new Directive, which must be transposed into national law of the EU Member States by October 17, 2024, introduces a new era of EU cybersecurity legislation rather than just an update of the existing legal framework.

A new era of EU cybersecurity legislation

Firstly, there is a clear (r)evolution regarding substantive cybersecurity requirements that Member States must implement in their national laws.

Entities in scope of the NIS2 Directive will need to take a proactive approach to cybersecurity by implementing robust cyber governance and cyber risk management measures. This entails that in-scope entities will be required to implement and maintain a cybersecurity program that, at least, covers:

• Risk analysis and information security policies
• Incident handling
• Business continuity
• Supply chain security
• Network and information systems acquisition
• Development and maintenance
• Testing of cybersecurity risk-management measures
• Basic cyber hygiene practices and cybersecurity training
• Policies and procedures regarding the use of cryptography
• Human resources security
• Access control policies and asset management
• Multi-factor authentication or continuous authentication solutions
• Secured voice, video and text communications and emergency communication systems.

The development and practical implementation of the cybersecurity program must be overseen by the company’s management bodies, who should receive cybersecurity-related training to enable them do so in a meaningful way and to prepare them to take on the extra liabilities.

As the NIS2 Directive only sets a minimum standard of harmonization, EU Member States may decide to impose more prescriptive cybersecurity requirements in their national transposition law(s). In light of this, in-scope entities will be required to identify specific requirements that exist at Member State level. Furthermore, competent authorities at EU and Member State level may issue further guidance that should be taken into consideration when determining whether the entity’s cybersecurity risk management program meets regulator expectations.

In addition to cyber governance and cyber risk management measures, the NIS2 Directive sets forth stringent incident reporting obligations with challenging deadlines as short as 24 hours for the initial “early warning” notification to the relevant Computer Security Incident Response Teams or competent authority. These incident reporting obligations will likely require in-scope entities to revise their internal incident handling process.

Entities in scope of the NIS2 Directive

The NIS2 Directive does not only mark a new era in terms of substantive cybersecurity requirements, it also significantly changes the reach of these requirements.

With the NIS2 Directive, the EU legislator abandons the previous approach (under the former NIS Directive) where Member States had to specifically designate the entities in scope of the most stringent obligations. Instead, the NIS2 Directive defines the entities that are in scope directly without the need for further Member State intervention (although there is still some flexibility for Member States to make additional entities subject to their local NIS2 transposition law).

Annex I and II of the NIS2 Directive set forth two lists of entities that, when meeting or exceeding the threshold for medium-sized companies, are considered in scope.

Annex I identifies the types of entities that will be considered “essential entities” (e.g., entities active in the energy, transport, banking, financial markets, health, drinking water, digital infrastructure, B2B ICT service management, public administration and space sectors).

Annex II identifies the types of entities that will be subject to the NIS2 Directive as “important entities” (e.g., entities active in waste management, postal services, chemicals and food, medical device manufacturers, digital providers and manufacturers of electronics).

The NIS2 Directive will also apply to certain entities regardless of their size, such as providers of public electronic communications networks or of publicly available electronic communications services and trust service providers.

Territorial reach

While the NIS2 Directive clearly defines the type of entities that will be subject to it, its territorial reach is more ambiguous. In this respect, Article 2 provides that the NIS2 Directive will apply to entities “which provide their services or carry out their activities within the EU.”

At first glance, this indicates that the NIS2 Directive has a strong extra-territorial reach where the only required nexus with the EU is that an entity provides services or carries out activities in the EU. However, to have a more accurate understanding of the NIS2 Directive’s territorial scope, Article 26 under the section “jurisdiction and territoriality” should also be considered. This Article clarifies that the NIS2 Directive has a strong extra-territorial reach for certain types of entities and a more limited extra-territorial reach for others.

The strong extra-territorial regime (Article 26(2 and 3)) is only applicable to certain tech entities providing services that are cross-border in nature, such as DNS service providers, cloud computing services providers and providers of online marketplaces, of online search engines or of social networking services platforms.

For these entities, it is sufficient to provide services or carry out activities in the EU for the NIS2 Directive to be applicable, even if they are not established in the EU. In the latter case, these entities will be required to designate a representative in the EU and will be under the jurisdiction of the Member State where the representative is established.

The limited extra-territorial regime applies to most other entities (there are special rules for electronic communications networks/services and public administration) and entails that an entity will fall under the jurisdiction of the Member State in which it is established (Article 26(a)). Consequently, if these types of entities are not established in the EU, the NIS2 Directive will not apply to them.

Contributing author: Tiago Sérgio Cabral, Associate, Hunton Andrews Kurth