European Union: Implemented Network and Information Security Directive (NIS2) ensuring a higher level of cybersecurity

On 18 October 2024, the Network and Information Security Directive (NIS2) was implemented. The NIS2 aims to ensure a higher level of cybersecurity at the EU level by coordinating national approaches to and Governance of cybersecurity. The Member States had until 17 October 2024 to transpose the Directive into national law. The NIS2 outlines cybersecurity obligations across sectors, including energy, transport, banking and finance, health, and providers of public electronic communications networks and digital services. The NIS2 includes definitions, cybersecurity incident reporting requirements and sanction mechanisms. The NIS2 specifies the incidents classified as "significant" and provides clarity regarding the classification of entities as "essential" or "important". The entities classified as "essential" include qualified trust service providers, public electronic communications network providers or publicly available electronic communications services, and entities listed in Annexes I and II. Entities not listed as "essential" are classified as "important". The "essential entities" are subject to the ex-ante and ex-post regulatory regimes, and the "important entities" are subject only to the ex-post regulatory regime. Furthermore, the Directive requires incidents that caused or are "capable of causing severe operational disruption or financial losses" and those that affected or are "capable of affecting other natural or legal persons" to be reported within 24 hours. The Member States are required to ensure the covered entities implement cybersecurity risk management measures to minimise the impact of incidents. The measures include establishing preventive, detective and responsive systems, employing cryptography and encryption and running backup management and disaster recovery. The penalties for non-compliance with the cybersecurity risk management measures and reporting requirements are maximum EUR 10 million or up to 2% of the global turnover for "essential entities". The fines for "important entities" are set at EUR 7 million or 1.4 % of the global turnover.