The NIS2 Directive (Directive (EU) 2022/2555) was formally adopted by the EU yesterday following the European Parliament's approval in November (European Parliament press release on NIS2 adoption). The transposition deadline for member states is 17 October 2024, with operational compliance required from that date. The substantive expansion from the original NIS Directive of 2016 is significant and will reshape the regulatory environment for the customer-portfolio organisations operating in EU jurisdictions over the next two years.
The substantive expansion in scope. NIS1 covered approximately 1,500 organisations across the EU; NIS2 will cover approximately 110,000. The expansion is partly through the addition of new sectors (manufacturing of critical products, food production, postal and courier services, public administration, space-based services, and several others) and partly through reduced size thresholds (medium-and-larger organisations within designated sectors, rather than the narrower "operator of essential services" designation under NIS1). The customer-portfolio organisations affected directly: the manufacturer's overseas operations are likely in scope under the manufacturing-of-critical-products designation; Northcott's overseas operations are probably in scope; the retailer's various EU operations are probably in scope on the customer-data-related grounds. The financial-services firm has parallel obligations under DORA (the EU Digital Operational Resilience Act, addressing financial sector specifically) which is in late legislative stages.
The substantive expansion in obligations. NIS2 imposes more detailed cyber-resilience requirements — risk management practices, incident-handling procedures, supply-chain security obligations, encryption-and-access-control requirements, and several others. The incident-notification obligation has been strengthened — initial notification within 24 hours of awareness, follow-up notification within 72 hours, final report within one month. The enforcement powers of supervisory authorities have been strengthened — including, for the first time in EU cybersecurity regulation, personal liability provisions for senior management at non-compliant organisations.
The substantive expansion in enforcement. The maximum administrative fines under NIS2 are €10 million or 2% of global annual turnover (whichever higher) for essential entities, and €7 million or 1.4% of global annual turnover for important entities. The structure is broadly comparable to GDPR's enforcement framework but with a separate scope and supervisory mechanism. The customer-organisation conversations about NIS2 have, since the autumn legislative progress made the framework substantively visible, included the regulatory-cost dimension as a substantive theme.
For the customer-portfolio programme work, the NIS2 readiness programme is now part of the 2023-2024 strategic theme. The customer-organisation conversations through Q3 and Q4 have been working through the impact assessment for each customer's specific operational scope. The programme work that needs to land before October 2024 includes: risk-management-practices documentation, incident-handling procedure development and testing, supply-chain-security-programme development (the customer-portfolio supply-chain work that has been catalysed by SolarWinds and Log4Shell will form the substantial base for NIS2-side compliance), encryption-and-access-control posture review, and the various organisational-and-governance changes that the Article 21 obligations will require.
The UK situation is separate but parallel. The post-Brexit UK government has indicated through 2022 that the UK will pursue its own cyber-resilience legislative framework rather than transposing the EU's NIS2 directly. The UK Cyber Resilience Act (working title) is in early consultation stages with substantive legislation expected through 2023-2024. The UK customer-organisation programme work will need to track both the UK-side framework and the EU-side framework where the customer's operations span both jurisdictions.
I will return to this through 2023 as the customer-organisation programme work develops. The NIS2 transposition cycle will be a substantial customer-portfolio strategic theme through to October 2024.