On 28 November 2022, the EU Council adopted the EU Parliament's approval of the directive on measures for a high common level of cybersecurity across the Union ("NIS2"). NIS2 expands the scope to include more sectors and services compared to the current NIS directive. NIS2 sets out new requirements under which companies will be obliged to e.g., implement routines for information security as well as risk and incident management, and to notify local authorities of serious cyber security incidents within 24 hours. Violating these requirements may be subject to fines of up to two percent of the company's annual turnover. Although the EU Council has not yet formally adopted NIS2, it is currently being considered by the Norwegian Ministry of Justice for implementation. Thus, companies should be prepared and evaluate the internal routines and policies as compared to the new requirements.
NIS2 is part of a broader EU legislation on cybersecurity which aims specifically to achieve a high common level of cybersecurity across the EU. Thus, NIS2 is closely related to e.g., the Proposal for a Directive of the European Parliament and of the Council on the resilience of critical entities (COM/2020/829) and does also contain provisions regarding such entities.
Who will need to comply?
NIS2 is extensive and affects many different sectors and services, including companies that are considered critical for both the economy and society. This extension entails that the providers of services within 15 defined sectors fall within the scope. Further, NIS2 distinguishes between essential and important services, which are listed in annex 1 and annex 2, respectively.
Annex 1 includes different private and public providers of "essential" services within energy, transport, banking, financial market infrastructure, health, drinking water, discharged water, digital infrastructure, public administration, and space operations. The providers of "important" services listed in annex 2 are postal and courier services, waste management, production and distribution of chemicals, food production, processing, and distribution.
In principle, only larger companies will be subject to NIS2. However, there are exceptions to this including companies of particular security importance. A company may be of such importance e.g., if the company is the sole provider in an EU country or operates in a particularly vulnerable business.
What are the new requirements?
Relevant companies must implement an internal risk management method based on a list of fundamental security elements. In addition, NIS2 sets out more specific minimum requirements, including the obligation to manage cyber security risks in the supply chains and with the suppliers, to keep plans for maintenance, monitoring and testing as well as the use of crypto.
NIS2 also introduces more precise requirements on the process for notifying incidents, i.e., what incidents must be notified, when and how. Companies must notify the local authorities of cyber security incidents within 24 hours and provide a more detailed report within 72 hours. Companies that do not comply may be liable to fines of up to 2 percent of turnover (for "essential" service providers) and up to 1.4 percent (for "important" service providers).
How to prepare?
It goes without saying that although it is uncertain when NIS2 will be implemented in Norway, the basic principles will eventually be reflected in national legislation. Thus, companies may want to consider assessing the current state of their digital security and also how the business can adapt the new and specific requirements. In a time where digital vulnerability is becoming ever more relevant, companies may benefit from optimizing their digital security regardless of the implementation of NIS2.
We recommend companies to start mapping the digital security, potential risks and how to mitigate such risks. In our experience it may also be beneficial to appoint one or more employees as responsible for digital security. The need for such roles will likely become more evident once a company assesses its current security situation.
Finally, we recommend that companies implement routines and procedures on how to manage risks and potential incidents. These routines and procedures should be designed to be practical, targeted and effective to enable the company to meet the deadline for notifying the local authorities of incidents.
This security work may also be necessary for companies' compliance with the GDPR, including the requirement of establishing an internal control sufficient to evidence that data is processed in line with the principles relating to processing of personal data. Some companies may also need to re-evaluate already implemented security standards such as ISO certifications to verify if new security elements need to be added in light of NIS2.
Our specialist lawyers have extensive experience in advising Nordic and international providers and purchasers of digital services with particular emphasis on IT, telecom, cybersecurity, data protection, national security issues and regulatory compliance. We regularly assist technology and corporate clients in creating and implementing routines, IT contracts, compliant outsourcing and cloud arrangements as well as providing strategic and legal advice in a commercial context.
This article is intended to be a general summary of the law and does not constitute legal advice. Consult with counsel to determine applicable legal requirements in a specific situation.