As many readers will be aware, the EU’s new cybersecurity directive, NIS2, imposes security, incident notification, and governance obligations on entities in a range of critical sectors, including energy, transport, finance, health, and digital infrastructure (for an overview of NIS2, see our previous post here). One of the main reasons the Commission proposed these new rules was the inconsistent manner in which Member States had implemented requirements under the prior directive, NIS. To help improve harmonization further, the Commission has now issued two guidance documents to help assess when NIS2 or sector-specific requirements apply, and to ensure that registration requirements are consistent across the Union.

Guidance on interplay with other cybersecurity laws

NIS2 applies across a range of sectors, some of which are already subject to sector-specific cybersecurity regulations. To avoid duplicating the obligations of entities operating in these sectors, NIS2 states that where an entity is subject to sector-specific obligations that are “at least equivalent in effect” to the substantive cybersecurity or incident notification obligations under NIS2, those NIS2 obligations will not apply (Art. 4). During the legislative process stakeholders debated what this means and how it should work in practice. The final text that was agreed last year sets out a test to measure when sector-specific rules should be considered to be equivalent in effect, and requires the Commission to provide guidelines clarifying the application of the rule.

The first guidance document that the Commission has published sets a high bar, noting, for example, that in assessing whether a sector-specific law’s obligations are equivalent, attention should be paid to all the requirements of NIS2. This includes whether entities are required to take a risk-based approach; whether the law addresses security across hardware, firmware and software; whether entities are required to take an “all-hazards” approach (e.g., considering natural hazards such as floods, rather than pure cyber hazards); and whether the law addresses the specific security risks identified in NIS2, such as business continuity, supply chain security, encryption, and access management.

Likewise, in relation to incident reporting obligations, the guidance document notes that NIS2 sets out multiple incident reporting obligations, each of which should be considered in assessing the equivalence of a sector-specific law. The sector-specific law would therefore need to replicate NIS2’s multi-tiered approach to the reporting of significant incidents with an initial “early warning” within 24 hours followed by intermediate reports and then a final report describing the root cause of the incident. NIS2 also requires notifications to service recipients.

Based on the considerations described above, the Commission concludes that Regulation 2022/2554 (the Digital Operational Resilience Act, or DORA) – a financial services sector specific cybersecurity regulation – is the only law that is “equivalent in effect” to NIS2.

Helpfully, the guidance recognizes that where the NIS2 risk management and incident reporting obligations do not apply to an entity, other linked NIS2 obligations such as the obligation to register information (described in the second guidance document, described below) should also not apply.

Guidance on the information to be provided to Member State authorities

NIS2 requires EU Member States to maintain a register of the “essential” and “important” entities in their Member State. Member States must also provide the list of digital infrastructure providers (such as cloud services providers) to ENISA.

The second guidance document issued by the Commission sets out a template for companies to provide this information to the competent authority in their Member State. The template largely restates the specific requirements listed in NIS2, i.e., information such as each entity’s name, contact details, IP addresses, sector, and the EU member states in which the entity operates. However, the existence of the template gives covered entities a starting point for their submissions.

Next steps

As it is a directive, NIS2 does not apply directly to covered entities.  Instead, Member States must transpose it into their national law by 18 October 2024. In the meantime, companies will need to assess whether the services they provide fall within scope of NIS2 and, if so, begin assessing their security controls and policies against NIS2 obligations. 

*********

The Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, including on NIS and NIS2. If you have any questions about how NIS2 will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to assist.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Aleksander Aleksiev Aleksander Aleksiev

Aleksander advises clients on legal problems associated with data protection, cybersecurity, and new technologies. He holds degrees in both law and computer engineering which he combines to provide advice that is both legally sound and technologically pragmatic.

Aleksander has advised companies, governments, and…

Aleksander advises clients on legal problems associated with data protection, cybersecurity, and new technologies. He holds degrees in both law and computer engineering which he combines to provide advice that is both legally sound and technologically pragmatic.

Aleksander has advised companies, governments, and charitable organizations on a range of technology law issues including data breach response, compliance with privacy and cybersecurity laws, and IT contract negotiations. In addition to his experience advising on European law, Aleksander is Australian-qualified and has significant experience advising clients in the Asia-Pacific – particularly on Australian and Hong Kong law.

Photo of Paul Maynard Paul Maynard

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.