As many readers will be aware, the EU’s new cybersecurity directive, NIS2, imposes security, incident notification, and governance obligations on entities in a range of critical sectors, including energy, transport, finance, health, and digital infrastructure (for an overview of NIS2, see our previous post here). One of the main reasons the Commission proposed these new rules was the inconsistent manner in which Member States had implemented requirements under the prior directive, NIS. To help improve harmonization further, the Commission has now issued two guidance documents to help assess when NIS2 or sector-specific requirements apply, and to ensure that registration requirements are consistent across the Union.
Guidance on interplay with other cybersecurity laws
NIS2 applies across a range of sectors, some of which are already subject to sector-specific cybersecurity regulations. To avoid duplicating the obligations of entities operating in these sectors, NIS2 states that where an entity is subject to sector-specific obligations that are “at least equivalent in effect” to the substantive cybersecurity or incident notification obligations under NIS2, those NIS2 obligations will not apply (Art. 4). During the legislative process stakeholders debated what this means and how it should work in practice. The final text that was agreed last year sets out a test to measure when sector-specific rules should be considered to be equivalent in effect, and requires the Commission to provide guidelines clarifying the application of the rule.
The first guidance document that the Commission has published sets a high bar, noting, for example, that in assessing whether a sector-specific law’s obligations are equivalent, attention should be paid to all the requirements of NIS2. This includes whether entities are required to take a risk-based approach; whether the law addresses security across hardware, firmware and software; whether entities are required to take an “all-hazards” approach (e.g., considering natural hazards such as floods, rather than pure cyber hazards); and whether the law addresses the specific security risks identified in NIS2, such as business continuity, supply chain security, encryption, and access management.
Likewise, in relation to incident reporting obligations, the guidance document notes that NIS2 sets out multiple incident reporting obligations, each of which should be considered in assessing the equivalence of a sector-specific law. The sector-specific law would therefore need to replicate NIS2’s multi-tiered approach to the reporting of significant incidents with an initial “early warning” within 24 hours followed by intermediate reports and then a final report describing the root cause of the incident. NIS2 also requires notifications to service recipients.
Based on the considerations described above, the Commission concludes that Regulation 2022/2554 (the Digital Operational Resilience Act, or DORA) – a financial services sector specific cybersecurity regulation – is the only law that is “equivalent in effect” to NIS2.
Helpfully, the guidance recognizes that where the NIS2 risk management and incident reporting obligations do not apply to an entity, other linked NIS2 obligations such as the obligation to register information (described in the second guidance document, described below) should also not apply.
Guidance on the information to be provided to Member State authorities
NIS2 requires EU Member States to maintain a register of the “essential” and “important” entities in their Member State. Member States must also provide the list of digital infrastructure providers (such as cloud services providers) to ENISA.
The second guidance document issued by the Commission sets out a template for companies to provide this information to the competent authority in their Member State. The template largely restates the specific requirements listed in NIS2, i.e., information such as each entity’s name, contact details, IP addresses, sector, and the EU member states in which the entity operates. However, the existence of the template gives covered entities a starting point for their submissions.
As it is a directive, NIS2 does not apply directly to covered entities. Instead, Member States must transpose it into their national law by 18 October 2024. In the meantime, companies will need to assess whether the services they provide fall within scope of NIS2 and, if so, begin assessing their security controls and policies against NIS2 obligations.
The Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, including on NIS and NIS2. If you have any questions about how NIS2 will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to assist.