NIS2 is a European directive that updates and expands the cybersecurity requirements established by the original NIS directive from 2016.
The NIS2 directive was officially adopted by the European Parliament and the Council of the European Union on December 14, 2022. It came into effect on January 16, 2023, and must be transposed into the national legislation of each EU member state by October 17, 2024.
The primary goal of the NIS2 directive is to improve the cybersecurity of critical infrastructures and ensure better coordination and harmonization of security measures across the European Union. The directive must be transposed into the national legislation of each member state by October 17, 2024, and the affected entities must comply with the new requirements by this date.
Who must comply with the NIS2 provisions?
NIS2 applies to a broader range of sectors than the initial NIS directive, classifying the targeted entities into two main categories:
- Essential Entities: Large companies with at least 250 employees, an annual turnover of over EUR 50 million, or an annual balance sheet of over EUR 43 million. These include:
- Energy
- Transport
- Finance
- Public Administration
- Health
- Digital Infrastructure (e.g., data centers, telecommunications operators)
- Drinking and waste water
- Important Entities: Medium-sized enterprises with at least 50 employees or an annual turnover of over EUR 10 million. These include:
- Postal Services
- Waste Management
- Chemical Industry
- Research
- Food Production
- Digital Providers (e.g., search engines, e-commerce platforms)
Main Requirements of the NIS2 Directive
NIS2 introduces stricter requirements for cybersecurity and provides severe penalties in case of non-compliance:
- Cyber Risk Management: Organizations must adopt technical and organizational measures to mitigate cyber risks, including data encryption, access control, and supply chain security management.
- Incident Reporting: Entities must report major security incidents within 24 hours of detection and provide a full report within 72 hours. A final report must be submitted within one month of notification.
- Management Responsibility: Company management is responsible for implementing cybersecurity measures and may be held liable in case of non-compliance, including with personal sanctions, such as bans from occupying management positions.
- Business Continuity: Companies must develop plans to ensure business continuity in the event of cyber incidents, including data recovery and establishing a crisis team.
Conclusion
NIS2 imposes stricter security requirements and better coordination between member states, applying to a broader range of essential and important sectors in the EU economy. Affected companies must quickly assess whether they fall within the scope of the directive and implement the necessary measures to comply by October 2024.
For further information or any additional inquiries, please do not hesitate to contact us:
➡ Phone: (+4) 031 426 0745
📧 Email: office@grecupartners.ro
We are here to assist and provide legal support for all your needs. We look forward to discussing with you.
Elena Grecu – Attorney at Law