ENISA, the European Union Agency for Cybersecurity, noted a significant increase in the quantity and variety of cyberattacks and their consequences in the latter part of 2022 and the first half of 2023, and, from 2021 to 2022, 82% of recorded data breaches involved a human element (such as human error being exploited to gain access to information or services).
These days, it’s not a case of if nefarious forces will try to hack into your company’s system or steal sensitive data, it’s when, and that's why the European Union adopted the NIS 2 Directive.
Paralegal
In 2022 the European Union adopted a directive which had the objective of achieving a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market. Actually, this Directive, Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) can be considered an update of a similar directive from 2016 (Directive (EU) 2016/1148), which was transposed into Spanish law by Real Decreto-ley 12/2018. However, as we all know, changes happen fast in the world of tech and the law needs to try and keep up.
The NIS 2 Directive not only lays down cybersecurity risk management measures and obligations for certain entities which they deem risky, it also sets out obligations for Member States to update their national laws and strategies, establishes relevant authorities and computer security incident response teams and facilitates cybersecurity related information sharing. However, in this post we will focus on answering the main questions that you, as a business owner, may have about the NIS 2 cybersecurity directive.
Firstly, you should bear in mind that this law is really trying to ensure that essential services are continuously available to the public, without interruption. So, if your company is unlikely to be described as “essential” or of societal importance, it’s unlikely that this law affects you. If you were subject to this Directive’s predecessor, then you will still have obligations under this Directive, as it has broadened the scope of affected companies. However, good cybersecurity practice is essential to all companies, so you may still decide to take inspiration from the provisions of this Directive.
This Directive applies to both public and private entities who fall into any of the following categories:
1) Medium-sized or large businesses (more than 50 employees and annual turnover and/or annual balance sheets exceeding EUR 10 million) which provide their services or carry out their activities within the Union and whose activity falls into one of these categories:
2) Regardless of size, you will be subject to this law if:
The NIS 2 Directive further subcategorises these entities into “essential” and “important” entities, but the obligations for either type of company are essentially the same.
Spain is at liberty to widen the scope of entities affected by NIS 2 Directive, so some other institutions, such as educational institutions, may be later added to this list. Spanish authorities have until April 2025 to establish a list of essential and important entities.
However, NIS 2 Directive does not apply to public administration entities that carry out their activities in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.
You may also be interested in our article on GDPR compliance and data protection in companies.
NIS 2 Directive establishes various authorities which will oversee and enforce the provisions of the Directive, but the two authorities that you are most likely to communicate with are the following:
Competent authorities: Each Member State shall designate or establish one or more competent authorities responsible for cybersecurity and for the supervisory tasks set out in this Directive.
Computer security incident response teams (CSIRTs): This team will have responsibilities such as monitoring and analysing cyber threats, vulnerabilities and incidents at national level and, upon request, providing assistance to essential and important entities concerned regarding real-time or near real-time monitoring of their network and information systems;
Currently there are 3 CSIRTs in Spain:
By April 2025, Spanish authorities must establish a list of essential and important entities as well as entities providing domain name registration services. For the purposes of establishing that list, you will be required to submit the following information to the competent authorities:
Any changes to these details must be reported within two weeks of the date of the change.
If Directive NIS 2 applies to your company, the management body of your company must approve the cybersecurity necessary risk-management measures and oversee their implementation.
The exact measures to be taken will depend on the state of the art, European and international standards, cost of implementation, the company’s exposure to risks, vulnerabilities of direct suppliers and service providers (and the results of any applicable union level coordinated security risk assessments of critical supply chains), the company’s size, the likelihood of the occurrence of incidents and their severity, including their societal and economic impact.
However, the measures shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:
The management body of your company will be required to follow cybersecurity-related training and you will be encouraged to offer similar training to your employees on a regular basis so that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by your company.
You must notify the CSIRT or, where applicable, the competent authority, of any incident that has a significant impact on the provision of your services. Where appropriate, you must also notify the recipients of your services of significant incidents that are likely to adversely affect the provision of those services and any measures or remedies that they are able to take in response to the threat.
It’s important to note that the mere act of notification of the incident shall not subject your company to increased liability.
An incident shall be considered to be significant if:
The CSIRT/competent authority shall provide you, without undue delay and where possible within 24 hours of receiving the early warning referred to above, with a response, including initial feedback on the significant incident and, upon your request, guidance or operational advice on the implementation of possible mitigation measures. The CSIRT shall provide additional technical support if you so request. Where the significant incident is suspected to be of criminal nature, the CSIRT/competent authority shall also provide guidance on reporting the significant incident to law enforcement authorities.
It is worth noting that the CSIRT/competent authority will inform other affected Member States, should there be any, always while preserving your company’s security, commercial interests and confidentiality. They may also, after consulting with your company, inform the public about the incident or require you to do so if public awareness is necessary to prevent an incident, deal with an ongoing incident or where disclosure of the incident is in the public interest.
You will also be able to notify the CSIRT/competent authorities on a voluntary basis about incidents, cyber threats and near misses which are not sufficiently significant to oblige you to report, but which you see fit to report. Voluntary reports will not result in additional obligations for your company, the reporting party.
In order to demonstrate compliance with the particular cybersecurity risk-management measures requirements, Spain is at liberty to require your company to use particular ICT products, ICT services and ICT processes, developed by your company or procured from third parties, that are certified under European cybersecurity certification schemes. In any case, you are encouraged to use qualified trust services.
TLD name registries and entities providing domain name registration services will be required to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law as regards data which are personal data.
The information in the database shall include:
If you provide these services, you must also have publicly available policies and procedures, including verification procedures, in place to ensure that these databases include accurate and complete information. You must also make publicly available the domain name registration data which are not personal data, duly respond to legitimate access requests and cooperate with other TLD name registries and domain name registries to avoid duplication of data.
Note: Not all of the authorities’ powers of enforcement apply to public administration entities.
Your company will have to submit to the supervision of the competent authorities, including, for example, agreeing to on-site inspections, independent security audits, requests for information, etc. Depending on the result of this supervision, the authorities may then issue warnings, give binding instructions, order the cessation of certain activities, etc.
Should those measures not lead to your compliance with the law, and the action they have asked you to take is not taken within the deadline set, the authorities will have the power to:
until you take the necessary action to remedy the deficiencies or comply with the requirements of the authority.
Your legal representatives will be held liable for the breach of their duties to ensure compliance with this Directive.
When deciding on the appropriate measures, the authority will consider the seriousness of the infringement, the duration, any relevant previous infringements, any damage caused, intent or negligence, measures taken to prevent or mitigate damage, adherence to approved codes of conduct or certification schemes and cooperation with the authorities.
Your incompliance may also result in the imposition of an administrative fine of up to EUR 10,000,000 or a maximum of 2% of the total worldwide annual turnover of your company in the preceding financial year.
Spain has until the 17th of October 2024 to adopt and publish measures which comply with this Directive, and those measures will apply from the next day, the 18th of October. However, as this Directive can be understood as an amplification of a previous law, many of the measures, or similar measures, are already in force in line with the EU’s previous cybersecurity Directive. As such, it is highly recommendable to start planning and implementing measures and procedures which comply with this Directive as soon as possible, if you are not doing so already.
Find out about all the obligations that companies with more than 50 employees must fulfil.
Are you looking for advice regarding your data protection obligations? Click the link below to find out how we can help you: