the art of being legal

The NIS 2 Directive: Cybersecurity obligations in the European Union

The NIS 2 Directive: Cybersecurity obligations in the European Union
19:03

ENISA, the European Union Agency for Cybersecurity, noted a significant increase in the quantity and variety of cyberattacks and their consequences in the latter part of 2022 and the first half of 2023, and, from 2021 to 2022, 82% of recorded data breaches involved a human element (such as human error being exploited to gain access to information or services). 

These days, it’s not a case of if nefarious forces will try to hack into your company’s system or steal sensitive data, it’s when, and that's why the European Union adopted the NIS 2 Directive.  

Abigail Sked-circulo-1Written by Abigail Sked

Paralegal 

More information

 

Table of Contents

What is the NIS 2 Directive?

In 2022 the European Union adopted a directive which had the objective of achieving a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market. Actually, this Directive, Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) can be considered an update of a similar directive from 2016 (Directive (EU) 2016/1148), which was transposed into Spanish law by Real Decreto-ley 12/2018. However, as we all know, changes happen fast in the world of tech and the law needs to try and keep up.

The NIS 2 Directive not only lays down cybersecurity risk management measures and obligations for certain entities which they deem risky, it also sets out obligations for Member States to update their national laws and strategies, establishes relevant authorities and computer security incident response teams and facilitates cybersecurity related information sharing. However, in this post we will focus on answering the main questions that you, as a business owner, may have about the NIS 2 cybersecurity directive.

 

I have a company in Spain.  Are we subject to the obligations of the NIS 2 Directive? 

Firstly, you should bear in mind that this law is really trying to ensure that essential services are continuously available to the public, without interruption. So, if your company is unlikely to be described as “essential” or of societal importance, it’s unlikely that this law affects you. If you were subject to this Directive’s predecessor, then you will still have obligations under this Directive, as it has broadened the scope of affected companies. However, good cybersecurity practice is essential to all companies, so you may still decide to take inspiration from the provisions of this Directive.

 This Directive applies to both public and private entities who fall into any of the following categories:

1) Medium-sized or large businesses (more than 50 employees and annual turnover and/or annual balance sheets exceeding EUR 10 million) which provide their services or carry out their activities within the Union and whose activity falls into one of these categories:

  • Annex 1: Sectors of high criticality
    • Energy
      • Electricity
      • District heating and cooling
      • Oil
      • Gas
      • Hydrogen
    • Transport
      • Air
      • Rail
      • Water
      • Road
    • Banking
    • Financial market infrastructures
    • Health
      • Healthcare providers
      • Pharma
      • Manufacturing
      • Laboratories
      • Research and development
    • Water
      • Drinking water
      • Waste water
    • Space
      • Infrastructure
      • Services
    • ICT
      • Digital infrastructure
      • ICT service management
    • Public administration

 

  • Annex 2: Other critical sectors
    • Waste management
    • Food
      • Production
      • Processing
      • Distribution
    • Manufacturing
      • Manufacturing, production and distribution of chemicals
      • Medical Development
      • Computer and electronic products
      • Optical products
      • Electrical equipment
      • Machinery and equipment
      • Motor vehicles
      • Trailers
      • Transport equipment
    • Postal / Courier services
    • Digital providers
      • Online market places
      • Online search engines
      • Social networking services platforms
    • Research organisations

 

2) Regardless of size, you will be subject to this law if:

  • your company carries out one of the above categories and one of the following criteria applies to your company:
    • services are provided by:
      • providers of public electronic communications networks or of publicly available electronic communications services;
      • trust service providers;
      • top-level domain name registries and domain name system service providers;
    • the entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities;
    • disruption of the service provided by the entity could have a significant impact on public safety, public security or public health;
    • disruption of the service provided by the entity could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact;
    • the entity is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State
    • the entity is a public administration entity:
      • of central government; or
      • at regional level if it provides services the disruption of which could have a significant impact on critical societal or economic activities.
    • your company identifies as a ‘critical entity’ under Directive (EU) 2022/2557.
    • your company provides domain name registration services

 

The NIS 2 Directive further subcategorises these entities into “essential” and “important” entities, but the obligations for either type of company are essentially the same.

Spain is at liberty to widen the scope of entities affected by NIS 2 Directive, so some other institutions, such as educational institutions, may be later added to this list. Spanish authorities have until April 2025 to establish a list of essential and important entities.

However, NIS 2 Directive does not apply to public administration entities that carry out their activities in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.

You may also be interested in our article on GDPR compliance and data protection in companies.

 

Who are the competent authorities?

NIS 2 Directive establishes various authorities which will oversee and enforce the provisions of the Directive, but the two authorities that you are most likely to communicate with are the following:

Competent authorities: Each Member State shall designate or establish one or more competent authorities responsible for cybersecurity and for the supervisory tasks set out in this Directive.

Computer security incident response teams (CSIRTs): This team will have responsibilities such as monitoring and analysing cyber threats, vulnerabilities and incidents at national level and, upon request, providing assistance to essential and important entities concerned regarding real-time or near real-time monitoring of their network and information systems;

Currently there are 3 CSIRTs in Spain:

  • CCN-CERT for the public sector, attached to the National Cryptologic Centre.
  • INCIBE-CERT for those who do not belong to the CCN-CERT, citizens and private law entities.
  • ESPDEF-CERT, of the Joint Cyber Defence Command, which cooperates with the other CSIRTs in situations in which they are required to support essential operators and those that concern National Defence.

 

Obligation of registration

By April 2025, Spanish authorities must establish a list of essential and important entities as well as entities providing domain name registration services. For the purposes of establishing that list, you will be required to submit the following information to the competent authorities:

  1. the name of the entity;
  2. the address and up-to-date contact details, including email addresses, IP ranges and telephone numbers;
  3. where applicable, the relevant sector and subsector referred to in Annex I or II of this Directive; and
  4. where applicable, a list of the Member States where you provide services falling within the scope of this Directive.

Any changes to these details must be reported within two weeks of the date of the change.

 

Which measures must we implement to manage the risks to cybersecurity?

If Directive NIS 2 applies to your company, the management body of your company must approve the cybersecurity necessary risk-management measures and oversee their implementation.

The exact measures to be taken will depend on the state of the art, European and international standards, cost of implementation, the company’s exposure to risks, vulnerabilities of direct suppliers and service providers (and the results of any applicable union level coordinated security risk assessments of critical supply chains), the company’s size, the likelihood of the occurrence of incidents and their severity, including their societal and economic impact.

However, the measures shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:

  1. policies on risk analysis and information system security;
  2. incident handling;
  3. business continuity, such as backup management and disaster recovery, and crisis management;
  4. supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
  5. security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
  6. policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
  7. basic cyber hygiene practices and cybersecurity training;
  8. policies and procedures regarding the use of cryptography and, where appropriate, encryption;
  9. human resources security, access control policies and asset management;
  10. the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

 

Training requirement

The management body of your company will be required to follow cybersecurity-related training and you will be encouraged to offer similar training to your employees on a regular basis so that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by your company.

 

Reporting obligations 

When must we report an incident?

You must notify the CSIRT or, where applicable, the competent authority, of any incident that has a significant impact on the provision of your services. Where appropriate, you must also notify the recipients of your services of significant incidents that are likely to adversely affect the provision of those services and any measures or remedies that they are able to take in response to the threat.

It’s important to note that the mere act of notification of the incident shall not subject your company to increased liability.

 

What is a 'significant incident'?

An incident shall be considered to be significant if:

  1. it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;
  2. it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

 

The notification timeline should look like this:

  1. without undue delay and in any event within 24 hours of becoming aware of the significant incident, provide an early warning, which, where applicable, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;
  2. without undue delay and in any event within 72 hours of becoming aware of the significant incident, provide an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise;
  3. upon the request of the CSIRT/competent authority, provide an intermediate report on relevant status updates;
  4. provide a final report not later than one month after the submission of the incident notification under point (b), including the following:
    • a detailed description of the incident, including its severity and impact;
    • the type of threat or root cause that is likely to have triggered the incident;
    • applied and ongoing mitigation measures;
    • where applicable, the cross-border impact of the incident;
  5. in the event of an ongoing incident at the time of the submission of the final report referred to in point (d), you will be required to provide a progress report at that time and a final report within one month of their handling of the incident.

 

What to expect: 

The CSIRT/competent authority shall provide you, without undue delay and where possible within 24 hours of receiving the early warning referred to above, with a response, including initial feedback on the significant incident and, upon your request, guidance or operational advice on the implementation of possible mitigation measures.  The CSIRT shall provide additional technical support if you so request. Where the significant incident is suspected to be of criminal nature, the CSIRT/competent authority shall also provide guidance on reporting the significant incident to law enforcement authorities.

It is worth noting that the CSIRT/competent authority will inform other affected Member States, should there be any, always while preserving your company’s security, commercial interests and confidentiality.  They may also, after consulting with your company, inform the public about the incident or require you to do so if public awareness is necessary to prevent an incident, deal with an ongoing incident or where disclosure of the incident is in the public interest.  

 

Voluntary notification

You will also be able to notify the CSIRT/competent authorities on a voluntary basis about incidents, cyber threats and near misses which are not sufficiently significant to oblige you to report, but which you see fit to report.  Voluntary reports will not result in additional obligations for your company, the reporting party. 

 

Cybersecurity certification schemes

In order to demonstrate compliance with the particular cybersecurity risk-management measures requirements, Spain is at liberty to require your company to use particular ICT products, ICT services and ICT processes, developed by your company or procured from third parties, that are certified under European cybersecurity certification schemes. In any case, you are encouraged to use qualified trust services.

 

Database of domain name registration data

TLD name registries and entities providing domain name registration services will be required to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law as regards data which are personal data.

The information in the database shall include:

  • the domain name;
  • the date of registration;
  • the registrant’s name, contact email address and telephone number;
  • the contact email address and telephone number of the point of contact administering the domain name in the event that they are different from those of the registrant.

 

If you provide these services, you must also have publicly available policies and procedures, including verification procedures, in place to ensure that these databases include accurate and complete information. You must also make publicly available the domain name registration data which are not personal data, duly respond to legitimate access requests and cooperate with other TLD name registries and domain name registries to avoid duplication of data.

 

Sanctions and enforcement measures

Note: Not all of the authorities’ powers of enforcement apply to public administration entities.  

Supervision by the competent authorities 

Your company will have to submit to the supervision of the competent authorities, including, for example, agreeing to on-site inspections, independent security audits, requests for information, etc. Depending on the result of this supervision, the authorities may then issue warnings, give binding instructions, order the cessation of certain activities, etc.

Should those measures not lead to your compliance with the law, and the action they have asked you to take is not taken within the deadline set, the authorities will have the power to:

  • Temporarily suspend (or legally request the suspension of) a certification or authorization concerning part or all of the relevant services or activities provided by your company.
  • Legally request a temporary prohibition of your chief executive officer or legal representative from exercising managerial functions.

until you take the necessary action to remedy the deficiencies or comply with the requirements of the authority.

 Your legal representatives will be held liable for the breach of their duties to ensure compliance with this Directive.

 

Determination of appropriate measures

When deciding on the appropriate measures, the authority will consider the seriousness of the infringement, the duration, any relevant previous infringements, any damage caused, intent or negligence, measures taken to prevent or mitigate damage, adherence to approved codes of conduct or certification schemes and cooperation with the authorities. 

 

Administrative fines

Your incompliance may also result in the imposition of an administrative fine of up to EUR 10,000,000 or a maximum of 2% of the total worldwide annual turnover of your company in the preceding financial year.

 

If the NIS 2 Directive applies to my company, when must we start fulfilling our obligations?

Spain has until the 17th of October 2024 to adopt and publish measures which comply with this Directive, and those measures will apply from the next day, the 18th of October. However, as this Directive can be understood as an amplification of a previous law, many of the measures, or similar measures, are already in force in line with the EU’s previous cybersecurity Directive. As such, it is highly recommendable to start planning and implementing measures and procedures which comply with this Directive as soon as possible, if you are not doing so already.

Find out about all the obligations that companies with more than 50 employees must fulfil. 

 

Are you looking for advice regarding your data protection obligations? Click the link below to find out how we can help you:

DATA PROTECTION CONSULTANCY

 

Date published: 21 June 2024

Last updated: 3 December 2024

Abigail Sked Civil law, Data protection
Abigail Sked

Abigail Sked

Search

    RECENT POSTS

    Posts by Tag

    See all

     © Conesa Legal, S.L.P.U.