A board member’s guide to NIS2 compliance and risk management

All organisations covered by NIS2 directive must meet its requirements by Q4 2024. The new directive highlights the crucial role of cybersecurity as a board-level concern by imposing accountability on corporate management to oversee, endorse and undergo training on the organization’s cybersecurity measures. This underscores the importance of prioritising cybersecurity at the highest levels of an organisation.

Key takeaways:

  • NIS2, which will come into effect on 18 October 2024, seeks to improve the ability of critical sectors to withstand cyber threats across the EU.
  • The directive places a strong emphasis on personal accountability for stakeholders involved in cybersecurity risk management, and non-compliance may result in severe financial penalties.
  • To comply with the new legislation, organisations falling under its jurisdiction must implement essential cybersecurity measures.

What is NIS2?

The directive is a continuation and expansion of the previous EU cybersecurity directive, known as NIS. NIS2 aims to enhance the security of network and information systems within the EU by requiring the operators of critical infrastructure and essential services to implement appropriate security measures and report any incidents to the relevant authorities. The directive modernises the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape. By expanding the scope of the cybersecurity rules to new sectors and entities, it improves the resilience and incident-response capacities of public and private entities, competent authorities, and the EU.

EU member states have until 17 October 2024 to transpose the directive into national law. This means that each organisation encompassed by the directive will be legally obligated to live up to its requirements by Q4 2024. The directive has not yet been transposed in Finland; however, a draft of the government’s proposal for the implementation of NIS2 has been compiled.

What sectors does NIS2 apply to?

NIS2 applies to organisations within specific sectors with a minimum of 50 employees and/or an annual turnover of EUR 10 million. However, there are exceptions where these organisation-size criteria are not relevant: if an organisation falls under the Critical Entities Resilience Directive (the CER directive), NIS2 automatically applies.

NIS2 categorises entities into two groups: essential entities (e.g. finance, energy, transport, healthcare) and important entities (e.g. waste management, food, manufacturing). As a rule, organisations with at least 250 employees or an annual turnover exceeding EUR 50 million and a balance sheet total exceeding EUR 43 million are essential entities.

Management responsibilities and sanctions

The new directive emphasises the importance of cybersecurity as a board-level concern by holding senior leadership and the board liable for infringements, highlighting the need to prioritise cybersecurity at the highest levels of an organisation.

According to NIS2, the governing bodies of both essential and important entities are required to endorse cybersecurity risk management measures and supervise their implementation. The management can be held liable for any breaches of these measures, although this liability does not supersede existing national laws concerning the liability of public institutions, officials, or servants. Additionally, the governing bodies are responsible for ensuring they are equipped with the necessary knowledge and skills to evaluate cybersecurity risks and management practices, providing training opportunities where appropriate. Similar training opportunities should be regularly provided to their employees to enhance their ability to identify risks and assess the impact of cybersecurity measures on the services they provide.

NIS2 establishes principles for the supervision conducted by authorities. Different monitoring methods are applied to both the essential and important entities, including on-site inspections, external monitoring, and security checks. Enforcement measures include warnings, binding instructions, and administrative fines. The administrative fines can be up to EUR 10 million or 2% of the total annual turnover of the organisation for essential entities. For important entities, the administrative fines can be up to EUR 7 million or 1.4% of the total annual turnover of the organisation. The governing bodies of essential entities may also face personal liability and temporary prohibition from performing managerial duties.

How to be compliant with NIS2

NIS2 mandates that EU member states must ensure that both essential and important entities implement appropriate cybersecurity risk-management measures to protect network and information systems and minimise the impact of incidents. These measures must be based on an all-hazards approach and cover various aspects including risk analysis, incident handling, business continuity, supply chain security and cybersecurity training. Entities are required to assess the vulnerabilities of their suppliers and service providers, and promptly notify competent authorities of significant incidents. Compliance requires adherence to detailed reporting obligations and may involve implementing specific technical and methodological requirements.

Deloitte’s approach to NIS2 compliance involves leveraging an organisation’s strengths while considering EU regulations. The regulatory impacts are assessed by identifying the parts of an organisation and stakeholders that are affected by NIS2. Additionally, a comprehensive baseline assessment of an organisation’s current state is conducted, highlighting key development areas that are in line with NIS2. Support extends to implementing essential cybersecurity measures, such as risk management and business continuity planning, ensuring alignment with NIS2.

Summary

 NIS2, an extension of the previous NIS directive, aims to bolster cybersecurity across the EU by mandating that critical infrastructure and essential service operators implement security measures and report incidents. It broadens the scope of cybersecurity rules to encompass more sectors, enhancing resilience. Compliance involves adopting cybersecurity measures, conducting risk assessments, and promptly reporting incidents. Non-compliance may lead to fines, warnings and temporary prohibition from managerial roles, emphasising the importance of adhering to the directive’s requirements.

Sources:

The NIS2 Directive

EUR-Lex: Directive (EU) 2022/2555 of the European Parliament and of the Council

Enisa: EU CyCLONe