NIS 2 implementation deadline has arrived – What to look out for now

NIS 2 implementation deadline has arrived – What to look out for now

1. NIS 2 Directive: Implementation status

The Network and Information Security 2 Directive (“NIS 2”) aims to strengthen cybersecurity measures across the European Union (“EU”) by imposing stricter requirements on companies and organizations that provide in-scope services. As a directive, it requires adoption into national law, the deadline for which was 17 October 2024.

Several countries have successfully transposed NIS 2 into national law, including Belgium, Croatia, Hungary, Lithuania, and Latvia. The German implementation act, the NIS 2 Umsetzungsgesetz (“NIS2UmsuCG”) is currently anticipated to come into force in early 2025.

2. Legal Implications of NIS 2

NIS 2 introduces a range of new legal obligations for companies and organizations, including:

• Expanding the scope of covered entities to include more sectors and services, such as digital providers, waste management, and manufacturing of critical products
• Introducing stricter cybersecurity risk management and reporting obligations, including regular risk assessments and implementation of state-of-the-art security measures
• Harmonizing incident reporting requirements across member states, with specific timelines for reporting significant incidents
• Strengthening cooperation and information sharing between member states through among other things the European Cyber Crises Liaison Organisation Network (EU-CyCLONe) (i.e., the cooperation network established under the NIS 2 Directive to support the coordinated management of large-scale cybersecurity incidents and crises at the operational level and ensure regular information exchange among EU Member States and relevant EU institutions, bodies, offices, and agencies).

Non-compliance to comply with these requirements could result in significant fines of up to €10 million or 2% of the total worldwide annual turnover, whichever is higher. Additionally, non-compliance may lead to reputational damage and loss of customer trust. It is crucial for organizations to understand their obligations under NIS 2 and take proactive steps to ensure compliance.

3. Thresholds Under NIS 2

NIS 2 has a broader scope of entities covered by cybersecurity regulations, categorizing them as either "essential" or "important" based on various factors, including headcount and annual turnover. These thresholds determine which organizations fall under the directive's purview and what specific obligations they must meet.

3.1 Threshold Criteria
The thresholds for classification as an essential or important entity under NIS 2 are based on:

• Company Size: Measured by number of employees
• Annual Turnover: Financial performance of the organization
• Sector-Specific Criteria: Tailored to the nature of the industry

3.2. Low Thresholds
Some of the thresholds set by NIS 2 are considered quite low, potentially bringing a large number of small and medium-sized enterprises (SMEs) under its scope. For example:

• Employee Count: Organizations with as few as 50 employees may be classified as important entities in certain sectors.
• Annual Turnover: The threshold for some sectors starts at €10 million, which is relatively low for many industries.

These relatively low thresholds present challenges due to several factors:

• Compliance Burden: Smaller organizations may struggle with the resources required to implement comprehensive cybersecurity measures.
• Technical Expertise: SMEs might lack the in-house expertise to fully understand and implement the required security controls.
• Financial Impact: The cost of compliance could be disproportionately high for smaller entities relative to their overall budget.
• Operational Challenges: Implementing stringent cybersecurity measures may disrupt existing business processes for smaller organizations.

Regardless of size, entities with a high security risk profile are also subject to NIS 2 requirements. This provision acknowledges that even smaller organizations can be attractive targets for cyber attackers due to the sensitive nature of their operations or the data they handle.

3.3 Affected Groups
NIS 2 particularly affects the following groups:

• Essential Entities: These include digital infrastructure bodies, ICT-service management (B2B), and healthcare providers. Essential entities are subject to the most stringent requirements due to their critical role in maintaining societal and economic stability.
• Important Entities: Manufacturers of chemicals, food production entities, and digital providers fall under this category. While not as critical as essential entities, important entities still play a significant role in the economy and are required to implement robust cybersecurity measures.
• Member State Governments: NIS 2 places obligations on EU member states to develop and implement comprehensive cybersecurity strategies, establish crisis management frameworks, and set up incident response teams. Governments must also ensure that the entities within their jurisdiction comply with the directive's requirements

4. Interplay Between DORA and NIS 2

NIS 2 and the Digital Operational Resilience Act (“DORA”) represent partially overlapping requirements aimed at enhancing cybersecurity across the EU. While DORA focuses specifically on the financial sector and its IT service providers, NIS 2 aims to bolster cyber resilience across all critical sectors, including healthcare, transport, energy, and digital infrastructure.

DORA and NIS 2 work in tandem to enhance the digital resilience of financial institutions and critical infrastructure. Under the lex specialis principle, DORA, as sector-specific legislation, takes precedence over NIS2 for financial entities. This ensures that DORA’s requirements are at least equivalent to those of NIS 2, providing a robust cybersecurity framework for the financial sector.

It’s important to note that DORA will be applicable from 17 January 2025, while member states must transpose NIS 2 into national law by 17 October 2024. This harmonization between DORA and NIS 2 underscores the EU’s commitment to creating a comprehensive and cohesive cybersecurity framework, ensuring that financial institutions and other critical sectors are well-equipped to face the evolving digital threats of today and tomorrow.

5. Cyber and Physical Security – How NIS 2 and the CER Directive Complement Each Other

NIS 2 and the Critical Entities Resilience Directive (“CER”) work together to bolster the cyber and physical security of critical infrastructure within the European Union. NIS 2 focuses on cybersecurity, requiring essential and important entities to implement measures to manage risks to their network and information systems. Meanwhile, CER adopts a broader “all-hazards” approach, addressing the overall resilience of critical entities against threats such as natural disasters, terrorism, insider threats, and sabotage.

Both directives cover many of the same critical sectors, including energy, transport, health, drinking water, and digital infrastructure. However, NIS 2 categorizes entities into “essential” and “important” based on factors like headcount and annual turnover. In contrast, the CER allows Member States to identify specific critical entities and outlines broad categories for sectors that should be considered, along with the security measures that EU member states should impose on these entities once identified.

The two directives establish similar governance structures, with each Member State designating a competent authority to oversee implementation. Entities covered by these directives must regularly assess risks, take appropriate technical and organizational measures to ensure their resilience, and notify authorities of significant incidents.

By strengthening cybersecurity under NIS 2 and physical security under the CER, the EU seeks to establish a robust framework to protect the critical services and infrastructure that citizens rely on. This dual approach ensures that both cyber and physical threats are addressed, enhancing the overall resilience of critical infrastructure across the EU.

The CER is being transposed into German law through the draft KRITIS Umbrella Act (Kritische-Infrastrukturen-Dachgesetz or KRITIS-DachG). The latest draft of this act is from April 2024. The German government is still in the process of finalizing it and it is expected to be passed in early 2025.

6. Practical Steps for Compliance

Organizations should take proactive steps towards NIS 2 compliance by:

• Assessing current cybersecurity practices and identifying any gaps in relation to NIS 2 requirements. This may involve conducting a comprehensive cybersecurity audit and gap analysis.
• Developing and implementing a comprehensive cybersecurity risk management framework. This should include regular risk assessments, implementation of security controls, and continuous monitoring of cybersecurity threats.
• Establishing clear incident reporting procedures and train relevant staff. This includes creating an incident response plan and conducting regular drills to ensure readiness.
• Engaging with legal experts to ensure a thorough understanding of NIS 2 obligations and potential "gold-plating" in national legislation. This may involve seeking specialized legal counsel to interpret the directive and its national implementations.

At Simmons, our experienced team of cybersecurity and data protection lawyers is well-equipped to guide clients through the complexities of NIS 2 compliance. We offer a range of services, including legal assessments, policy development, and training, to help organizations strengthen their cybersecurity resilience and meet their regulatory obligations.

7. Monitoring Member State Implementation

As a directive, NIS 2 sets out the general framework and objectives, but leaves the specific implementation details to each EU member state. This means that individual countries have the flexibility to fine-tune and potentially "gold-plate" the new cybersecurity requirements to fit their national context. "Gold-plating" refers to the practice of exceeding the terms of EU legislation when implementing it into national law, which can lead to additional compliance burdens for businesses.

Organizations providing services within the EU should diligently monitor the implementation processes in each member state they operate within. This will help them stay informed about any additional requirements or variations in the national legislation that may impact their compliance efforts.

8. Enforcement Challenges

Even after the implementation deadline of 17 October 2024, NIS 2 itself will not become directly enforceable until the NIS2UmsuCG is passed. This is because the directive requires national legislation for enforcement mechanisms, which will be described and explained in the forthcoming German implementation act.

This delay in enforcement creates a complex situation for businesses operating across multiple EU countries. While they may already need to comply with NIS 2 in other member states by October 2024, they will have additional time to prepare for compliance in Germany. However, companies should not view this as an opportunity to delay their compliance efforts, as aligning with NIS 2 requirements is a complex process that requires significant time and resources.

9. Next Steps for Germany

The next step for Germany is to finalize the draft of the NIS2UmsuCG, which is expected to be in its final politically agreed form soon. The German government will then proceed with the legislative process, which includes debates in the Bundestag (federal parliament) and Bundesrat (federal council representing the states).

The vote on the NIS2UmsuCG is anticipated to take place in early 2025, likely in February or March. Once passed, the act will come into force shortly thereafter, providing the necessary legal basis for enforcing NIS 2 in Germany.

10. Key Takeaways NIS 2:

• The NIS2UmsuCG is expected to come into force in early 2025
• Organizations should monitor member state implementation for potential "gold-plating" and variations in national legislation
• Enforcement of NIS 2 in Germany will not be possible until the NIS2UmsuCG is in place
• Companies and organizations should proactively align their cybersecurity practices with NIS 2 requirements to ensure a smooth transition
• Seeking expert legal advice is crucial to navigate the complexities of NIS 2 compliance across different EU member states

For more information on how Simmons can assist your organization in navigating the NIS 2 and its implementation, please contact Christopher Götz leading our cybersecurity and data protection team from our Munich office. Our experts are ready to help you understand your obligations, assess your current practices, and develop a comprehensive compliance strategy tailored to your specific needs. Please also see our previous article on NIS 2 [LINK] where we have explained some of the core features of the German implementation act.