Key contact: Sean McElligott – Partner
The upcoming NIS2 Directive sets the bar for baseline cybersecurity across Europe and is an essential step in safeguarding Europe/Ireland Inc.’s critical infrastructure from cyber threats.
The Directive must be transposed by 17 October and the National Cyber Security Centre (NCSC) expects its implementation will result in a dramatic rise in the number of regulated entities in Ireland, with the number of in-scope entities jumping from the approximately 120 regulated under NIS1 to an estimated 3,500. While implementation is still four months away, as a matter of urgency, you need to begin your NIS2 journey now by considering whether:
- You are a regulated entity within the scope of the Directive; or
- Even if you’re not, are you in the supply-chain of a regulated entity.
Are you a regulated entity within the scope of the Directive?
NIS2 categorises entities by sector and then gives them a designation of essential or important. The sectors covered by the Directive are those who contribute significantly to the functioning of the economy and society and include energy, food, healthcare, telecommunications, space, manufacturing, and banking.
If you fall within a covered sector, the next step is to determine your designation as essential or important as this impacts on the regulatory regime to which you will be subject. Most small enterprises, that is entities with fewer than 50 employees and an annual turnover that does not exceed €10 million, are entirely out of scope from NIS2’s requirements, regardless of sector. Medium enterprises, those with between 50 and 249 employees having an annual turnover that does not exceed €50 million, operating within covered sectors tend to be designated as important. However, there are important exceptions to this general framework, most notably that certain digital infrastructure organisations, like qualified trust service providers and TLD name registries, are essential under NIS2, no matter their size.
If not, are you in the supply-chain of a regulated entity?
NIS2 makes regulated entities responsible for the security of their supply chain. That means each regulated entity will need to monitor the security-related of its suppliers or service providers.
The legislation casts the net very widely as to who might be in scope – it is arguably the case that, an electricity provider (taking one example) that provides a staff vending machine in the facility involved in the generation of electricity (which is networked) will be in scope.
For companies that supply services to essential or important entities, reviewing your own cybersecurity practices will be paramount to avoiding liability or loss of business from the regulated organisations.
“Management bodies” are liable for breaches of NIS2
In perhaps the most significant change under NIS2, the “management bodies” of essential and important entities must approve the cybersecurity risk-management measures taken by the entities and oversee their implementation. These bodies can be held liable for infringements of NIS2 provisions. Unfortunately the Directive does not define specifically the term management body but other sections of NIS2 suggest that a management body can include any person discharging managerial responsibilities at a chief executive officer or legal representative level.
Takeaways
First of all, you need to consider whether NIS2 applies and specifically whether you are a regulated entity or in another company’s supply chain.
If you are a regulated entity under NIS2, then the “management body” is going to be on the hook in the event of a security incident within the organisation or originating in the supply chain.
Responsibility for security can no longer be outsourced to the CISO, and the penalties for an essential organisation can be up to €10m or 2% of total worldwide annual turnover.
Even if you are not a regulated entity, you will almost certainly have contractual liability to upstream customers to whom you provide services (who are themselves a regulated entity).
In the next article on NIS2 we will examine the steps that companies need to take to implement baseline security.