It’s the final countdown, with only one year to go before EU member states must transpose the EU’s new Network and Information Security 2 Directive (“NIS2”) into national law.
Key Dates
EU Member States have until 17 October 2024 to transpose NIS2 into national law and those national laws will apply to organisations as early as 18 October 2024. Enforcement is likely to start from 17 January 2025, in line with parallel legislation affecting financial services.
Applicability of NIS2
NIS2 applies to certain public and private organisations in the health sector which: (i) provide their services or carry out their activities in the EU; and (ii) employ 50 or more people and have an annual turnover of more than 10 million euros. Some of the health organisations listed in NIS2 are:
- Healthcare providers;
- EU reference laboratories;
- Providers of R&D for medicinal products;
- Manufacturers of basic pharmaceutical products and pharmaceutical preparations; and
- Manufacturers of medical devices including those considered to be critical during a public health emergency and in vitro diagnostic medical devices.
In some circumstances NIS2 may apply to health organisations regardless of their size and turnover, for example where service disruption could have a significant impact on public health or where an entity is identified as a ‘critical entity’ under the Directive on the Resilience of Critical Entities (EU) 2022/2557. These are minimum rules and member states may decide to go further when implementing into national law. Understanding them is likely to be particularly tricky for device manufacturers and initial scoping will be critical to determine which rule(s) apply.
Essential v Important
More healthcare organisations are caught by NIS2 than are by the existing framework (‘NIS1’). NIS2 distinguishes between ‘essential’ and ‘important’ entities, and so organisations must determine which category they fall into to know which obligations apply. For example, manufacturers of medical devices and in vitro diagnostic medical devices are generally classified as important entities. However, entities manufacturing medical devices considered to be critical during a public health emergency are generally classified as essential entities. EU member states must establish a list of each type of entity, and this may be done through a self-registration scheme. We expect further guidance from the European Commission on registration over the next few months.
Essential entities are subject to a more comprehensive supervisory regime than important entities. Both types of entity must take proactive steps to comply, the key difference is that essential entities are less in control of determining what is appropriate and proportionate to them – as they must submit themselves to third party assurance testing. Audit and oversight will also be more onerous for essential entities.
The Compliance Regime
All covered entities must adopt appropriate and proportionate technical, operational, and organisational cybersecurity risk management measures as described in Art. 21 of NIS2, which includes supply chain security. When determining these measures, organisations must undertake a risk-based analysis but are now permitted to take compliance costs into consideration.
Management bodies must approve and oversee implementation of the cybersecurity risk management measures put in place and can be held personally liable if their organisation does not comply with such obligations. They will also be required to undergo cybersecurity risk management training and are encouraged to offer similar training to their employees on a regular basis.
The incident reporting obligations under NIS2 have been enhanced. Both essential and important entities are subject to the same incident reporting obligations. A significant incident is one that: (i) causes, or is capable of causing, severe operational disruption of the services or financial loss to the organisation concerned; and/or (ii) affects, or is capable of affecting, other persons by causing considerable material or non-material damage.
Organisations must submit an early warning report within 24 hours of discovery of a significant incident, followed by an incident notification within 72 hours of discovery. A final report should be submitted no later than one month after the incident notification. EU member states are expected to assist organisations by providing single entry points and automated systems for reporting purposes.
Consequences of Non-Compliance
Among other sanctions, organisations can incur the following administrative fines:
- Essential entities, fines of up to 10 million euros or 2% of global annual turnover, whichever is higher; and
- Important entities, fines of up to 7 million euros or 1.4 % of global annual turnover, whichever is higher.
In practice, the extensive cost recovery and mandatory compliance powers may be just as effective as fines in driving policy.
UK Position
Due to Brexit, NIS2 will not be implemented in the UK. However, the UK Government has indicated that updates to NIS1, from a UK perspective, will be made ‘as soon as parliamentary time allows’. The government has already begun the consultation process. Of course, UK companies will be subject to NIS2 if they provide their services in the EU and meet the requirements detailed above.
Next Steps
For most in-scope organisations, complying with NIS2 will be a timely and costly exercise. Therefore, with only one year to go, now is the time to act.
- Initial assessment – organisations should determine if they are caught by NIS2 and if so: (i) if they are an essential or important organisation; and (ii) any applicable registration requirements.
- Gap analysis - organisations that were not regulated by NIS1 will have more work to do to reach compliance with NIS2 than organisations that were regulated by NIS1. Both types of organisations should conduct a gap analysis to understand what changes need to be made to comply with NIS2 and then implement those changes.
- Budget – organisations should budget accordingly for the work needed to comply with NIS2. According to the EU impact assessment for NIS2, companies already subject to NIS1 should expect an increase of up to 12% in their IT spend for the years immediately following the implementation of NIS2. For companies not subject to NIS1, the increased cost estimate is 22%.
- Track national implementation and guidance – to some extent, EU Member States will implement NIS2 in different ways. Therefore, it is important to track national implementation of the law and any guidance from relevant authorities to ensure compliance.
- Ongoing compliance - There are likely to be four phases of compliance: initial scoping; data governance and policy implementation; vendor and contract management; and information sharing.
Watch out for the launch of our new Resiliency Product to help underpin all stages of the new compliance journey!
Disclaimer
This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.