Navigating the Revised EU Cybersecurity Directive (NIS2): Key Obligations for Businesses

EU Introduces New Cybersecurity Rules with High Fines for Noncompliance

The European Union (EU) has recently revised its Cybersecurity Directive, known as NIS2, to enhance cyber resilience across various sectors. The new rules, which will apply to a wide range of companies, introduce stringent cybersecurity obligations and impose significant fines for noncompliance. EU member states have until October 17, 2024, to implement the new rules, prompting companies to assess the impact on their cybersecurity strategies.

The EU Cybersecurity Strategy, which includes the NIS2 directive, aims to bolster the EU’s cyber resilience. In addition to NIS2, other initiatives such as new cybersecurity rules for software and hardware products, security requirements in the financial sector, and standards for protecting critical entities against disruptive incidents have been introduced.

The scope of NIS2 has been expanded compared to its predecessor, the NIS Directive, and now includes essential and important entities operating in the EU. These entities span various sectors, including digital services, airlines, banks, research and development activities, manufacturers of medical devices, social networking platforms, electrical equipment manufacturers, and food production companies.

Key obligations under NIS2 include implementing cybersecurity risk management measures, incident reporting obligations, and early warning requirements. Companies must notify significant incidents to the national Cyber Security Incident Response Team (CSIRT) within specific timeframes and provide detailed incident reports.

Certain essential and important entities established in multiple EU countries will benefit from a one-stop-shop mechanism, simplifying compliance with cybersecurity laws. However, companies that fail to meet reporting or cybersecurity obligations may face fines of up to €10,000,000 or 2.0 percent of their worldwide annual turnover for essential entities and up to €7,000,000 or 1.4 percent of their worldwide annual turnover for important entities.

As the deadline for transposing NIS2 approaches, companies are advised to carefully review and adapt their cybersecurity strategies to comply with the new rules. It is essential for businesses to understand the varying requirements across EU member states and ensure compliance with local laws.

For more information on the new EU Cybersecurity Directive and its implications for businesses, companies can contact privacy and cybersecurity experts at Wilson Sonsini. Stay tuned for further updates on cybersecurity regulations in the EU and the UK.