NIS2: how will it be transposed in European countries?

The NIS2 Directive is the latest European cybersecurity regulation, aiming to improve the overall cybersecurity measures and resilience against cyberattacks across various sectors. It requires companies to promptly report security incidents to authorities and comply with new regulations. Non-compliance with the revised directive can result in significant financial penalties, administrative fines and, in some cases, director responsibility.

SMEs need to be aware of the NIS2 Directive and how it impacts their business, focusing on:

1. Enhancing their cybersecurity posture, network and information security to protect against the evolving cybersecurity threat landscape.

2. Staying informed about the changing regulatory landscape and adapting accordingly.

3. Ensuring timely threat incident detection, response, and reporting as required by NIS2.

Introduction into NIS2 directive

After being voted through by MEPs in November 2022, the new "NIS-2" directive came into force on 16th January 2023. European Union Member States now have 21 months (until 17th October 2024) to transpose these measures into national law. What are the key elements of the NIS directive reform? How are countries such as France, Germany, Belgium or the Netherlands planning to transpose these new cybersecurity measures and requirements into their respective national legislations? This article explains how.

1. NIS2 - Essential and important entities to reinforce cybersecurity in Europe

In 2016, the European Union adopted the Directive for Security of Networks and Information Systems (NIS), a first series of cybersecurity-dedicated measures. It sought to raise the level of security on the European market in response to threats related to digital transformation in the Member States.

As these threats evolved, cyberattacks on the supply chain increased and cyber crime became more professional, the directive needed to be reinforced. This is why NIS-2 is expanding both its objectives and its scope. This new version of the directive will harmonise and reinforce existing legal and regulatory framework around the European market's cybersecurity and in particular will:

• Enforce organisations to improve their cyber resilience to cybersecurity attacks.

• Harmonise cybersecurity and information systems obligations across all sensitive sectors which are vital for society and nations to function properly.

• Oblige companies to report security incidents and their response to the competent authorities within 24 hours.

• Improve information sharing between Member States.

For most countries, 35 sectors of activity (compared to 19 in the first version) are now covered by the European directive, including the energy, water and transport sectors, as well as the waste management, postal services and food production sectors. It's important to note that not all SMEs are subject to NIS2 directive. This regulation specifically applies to companies with more than 50 employees and 10 million euros yearly turnover, with certain exceptions for companies operating in specific areas such as MSPs and MSSPs. These regulations are applicable across all EU member states.

In addition, the previous statuses such as OES (Operator of Essential Services) for France, an operator whose activity is considered as key for society and the country and where a failure could have a significant impact on the operation and security of the State, have given way to the new acronyms EE (Essential Entities) and IE (Important Entities). Digital service operators of essential services providers and regional authorities are also now integrated into this security mechanism along with the whole supply chain security, who were the main parties left out of the NIS-1 directive.

It now falls to each country to draw up a list of national entities who will need to submit to the NIS-2 directive. All the private or public companies concerned will then need to meet the Directive's requirements for security and reporting requirements and will also be obliged to notify their competent authorities of any security incidents within 24 hours for early alerts and within 72 hours for incident declarations.

In the event of serious incidents of non-compliance, NIS-2 provides for significant financial penalties (in millions of Euro or as a % of worldwide turnover) and also engages the responsibility of management bodies and directors in specific cases. These sanctions will be announced by the competent national authorities.

2. NIS2 Netherlands: an increase in the number of competent authorities

The law on network and information system security, Wet beveiliging netwerk- en informatiesystemen  (Wbni) is the Dutch implementation of the NIS-1 directive and is due to be updated with the revision of the NIS-2 directive. The Dutch regulator Rijksinspectie Digitale Infrastructuur (RDI) has developed a self-evaluation tool . Organisations can use it to determine themselves if the provisions of the Wbni apply to them. This system will be evolving with the transposition of NIS-2. For its part, the Dutch competent authority, the Nationaal Cyber Security Centrum  (NCSC), has announced on its website that an Internet consultation period will take place in 2023 with citizens, companies and government institutions in order to "indicate any improvements to the legislation and the regulations which are being drafted".

Note that in the Netherlands there is no one single competent authority  and that incidents are reported  to the NCSC's CERT  and to the regulator concerned according to the sectors of activity:

• National digital infrastructure inspection: RDI since 1st January 2023, replacing the Autoriteit Persoonsgegevens (AP) regulator, which is the regulating body for cybersecurity risk management and data protection in the Netherlands.

• Dutch central bank (DNB): for companies in the financial sector.

• Human environment and transport inspection (ILT): for companies in the telecommunications sector.

• Health and youth assistance inspection (IGJ): for bodies in the health and youth sector.

3. NIS2 Germany: the IT security law 3.0

In 2015 , the law on improving IT security and cybersecurity risk management measures (Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme) obliged critical companies designated as KRITIS  (Kritische Infrastrukturen), to prove their compliance with the security requirements laid down by the BSI (Bundesamt für Sicherheit in der Informationstechnik), Germany's federal agency for information security.

In June 2017, the NIS1 directive was transposed into an IT security law called IT-Sicherheitsgesetz. In this context, the BSI received new powers and functions and is the competent authority responsible for monitoring the security of KRITIS operators and digital service providers. The BSI is also tasked with coordinating the response to cybersecurity incidents at a national level.

In 2021, the law on IT security 2.0  reinforced the cybersecurity level of KRITIS entities which now need to detect attacks, indicate the relevant incidents and provide information security to the BSI for crisis and incident management.

NIS-2's requirements could be dealt with as the version 3.0  of the law on IT security, which plans to expand the methodology, the regulated companies and the reporting obligations. In effect, NIS-2 imposes itself on the KRITIS but does not stop there. The BSI is tasked with identifying the EE and IE entities in its country (an expansion of the current KRITIS operators) and monitoring and applying the same cybersecurity standards and requirements imposed by the NIS-2 directive.

4. NIS2 Belgium: the NIS2 directive national law

Created in 2015, the competent national authority agency is the CCB (Centre for Cybersecurity Belgium) which is attached to the Federal Public Service (SPF) of the Prime Minister's Chancery. It enabled the 2016 NIS European (NIS EU) directive to be transposed into the NIS-1 law of 2019. All security incidents affecting the public and private entities concerned must be indicated on the incident declaration platform set up by the CCB  and the CERT.be (https://nis-incident.be/).

For this second version of the security directive, the Belgian centre estimates that the number of organisations affected has increased by a factor of 20 , from around one hundred at the moment to some 2 500 entities. 18 sectors are affected in Belgium. The 6 sectors in NIS-1 are expanded with 12 new sectors, such as the food production industries, public services, the chemicals industries or the health and energy sectors.

The new NIS-2 law is currently being prepared in order to be published before October 2024, the deadline imposed by the NIS-2 directive. This law will apply to entities established in Belgium defined on the CCB's official website  as implying "the effective exercise of an activity via a stable installation. The legal form retained for such an establishment, whether it is a branch office or a separate legal subsidiary, is not vital in this respect. This criterion should not depend on the physical location of the network and the information systems". Foreign companies who have a presence in Belgium and whose sectors of activity are included in the 18 key sectors will be subject to the NIS-2 directive.

5. NIS2 France: from OIVs to EEs

In 2013, the LPM (Military Programming Law) introduced the concept of OIVs (Organisation of Vital Interest) and imposed high security requirements on them. In 2018, the OIVs were expanded to OESs with the transposition of NIS into French law. These major actors who were essential to the smooth operation of the State were then obliged to submit to cybersecurity risk management and security measures, and report their security incidents to the ANSSI (Agence nationale de la sécurité des systèmes d'information), France's national digital security authority.

The ANSSI is piloting the consultation phase of work to transpose the NIS-2 directive into French law, in conjunction with government ministers, the different stakeholders in France and European partners. The agency is also tasked with drawing up the country's list of essential and important entities, which are classified according to their level of criticality. The ANSSI "plans to use this concept to define requirements which are adapted and proportionate to the stakes involved in each of these categories", it states on its official website.

Guillaume Poupard, the ANSSI's Chief Executive, said when NIS-2 was adopted in the European Parliament in June 2022  "the number of actors classified as OES will increase by a factor of 10 and they will be regulated". The future legislation affects thousands of private entities too, from SMEs to CAC40-registered companies, not forgetting administrations of all sizes (central administrations and regional authorities).

Conclusion - Cybersecurity risk management measures are essential

Each Member State and its competent authorities are now working to transpose the NIS-2 directive so that national legislation can be adopted by October 2024. If your company provides digital services in the sectors mentioned in the European Union, it is vital that you make sure that you meet the compliance requirements in each of these countries. As we have seen, the list of sectors may vary according to the countries and the competent authorities involved. This is also the case for how security incidents are reported.

If you would like help from cybersecurity professionals, don't hesitate to contact eye security's teams.

Eye Security - Go Beyond NIS2 to protect your business against cyber threats

To help organisations navigate the complex NIS2 requirements, Eye Security offers a comprehensive Managed Detection and Response (MDR) service combined with insurance coverage. This all-in-one package is designed to provide an easy-to-understand and cost-effective solution, with prices starting from €10 per employee per month.

By partnering with Eye Security, SMEs can:

1. Improve their overall cybersecurity posture, information systems and cyber resilience against cyberattacks.

2. Stay up-to-date and prepared for evolving cybersecurity regulations.

3. Receive expert assistance in incident detection, response, and reporting to comply with NIS2's reporting requirements.

4. Minimise the financial and operational impact of cybersecurity incidents with tailored insurance coverage.

With Eye Security, organisations can confidently focus on their core business while ensuring their cybersecurity needs and network and information systems are professionally managed and aligned with the NIS2 Directive requirements.