Navigating the NIS 2 Directive: Key changes and compliance strategies

• Expanded scope: NIS 2 broadens the coverage to include more sectors, categorizing organisations into essential and important entities, thus requiring a thorough assessment of whether an organisation falls within the scope.
   
• Increased Obligations and Penalties: NIS 2 imposes extensive cyber risk management obligations, with potential fines up to 10 million euros or 2% of annual turnover and holds management bodies personally responsible for compliance.
   
• Supply Chain Security: NIS 2 mandates that entities include supply chain security in their risk-management processes, requiring many to revise contracts and negotiate audit rights.
   
• Compliance Ambiguities: NIS 2 presents uncertainties, such as whether risk management obligations should extend to the entire supply chain or just direct suppliers, and which standards are best suited for compliance.
   
• Harmonization with Other Frameworks: NIS 2 compliance must be carefully negotiated to align with other EU regulations like GDPR, DORA, CRA, CSDDD, and the AI Act, necessitating a coordinated approach to manage supply chain risks effectively.
   

Member States within the EU are expected to transpose the revised Directive on Security and Information Systems ("NIS 2") into national law by 17 October this year. With the ever-increasing digitalisation and an evolving threat landscape, the directive seeks to enhance the overall level of cyber resilience within the European Union. The review of NIS 2's predecessor, the NIS Directive, revealed significant differences in implementation among Member States regarding its scope, security obligations and incident reporting, supervision and enforcement. Thus, the purpose of NIS 2 is to harmonize the approach to cybersecurity across the Union and to raise the general awareness of cybersecurity threats. This article will explore some of the major changes from the previous NIS Directive and its implications for organisations within and outside the European Union.

Firstly, NIS 2 expands the scope of the directive to more sectors compared to the previous NIS Directive. The NIS 2 Directive categorizes organizations into essential and important entities, with essential entities including, among others, organizations within the energy, health and banking sectors. Furthermore, entities within ICT service management, space and public administration are now covered and considered essential entities. Additionally, examples of entities recognized as 'important' include those within the postal and courier services, waste management and manufacturing sectors.  Thus, it is critically important to conduct a thorough assessment of whether your organization falls within the scope of NIS 2. 

Secondly, the directive imposes extensive obligations for managing cyber risk within a company. If an entity fails to comply with these obligations, Member States may impose fines of up to 10 million euros or 2 percent of the organization's annual turnover, whichever is higher. Furthermore, the management bodies of essential and important entities are given personal responsibility for overseeing the implementation of the risk-management measures. In the event of negligence, the management body may be held personally liable. Consequently, it is vital for the board of directors and management in organizations subject to NIS 2 to identify the risk-management requirements and implement them within their own organization. 

One of the major changes to the directive is found in Article 21, which addresses the cybersecurity risk-management measures that essential and important entities are expected to implement to manage risks posed to the security of their network and information systems. According to Art. 21(2)(d), entities must include "supply chain security" as a part of their risk-management process. Hence, many entities will likely need to revise their contracts to comply with this requirement. These contractual arrangements should include clauses to meet certain standards, and the parties should negotiate a right to audit. Additionally, it can be beneficial to further regulate the scope of the audit right for the entity under NIS 2 to properly assess risks in their supply chain. As such, suppliers based outside of the European Union, but providing goods or services to a European entity subject to NIS 2, may still find itself complying with some of the NIS 2 requirements through contractual obligations with the buyer. 

There are some unanswered questions regarding the extent of the obligation to monitor suppliers. Firstly, it is unclear if, and to what extent, the entity subject to NIS 2 is expected to conduct a risk assessment of the entire supply chain or only those with which the entity has contractual arrangements. The wording of Art. 21(2)(d) points to the latter, suggesting that entities need to mitigate risks with their "direct" suppliers. However, this distinction might be peculiar, especially for suppliers of ICT services, as risks relating to suppliers further back in the value chain can impact the functionality of your suppliers' network and information systems. Given that Art. 21 regulates 'risk-management', one probably cannot limit the risk requirement to only 'direct' suppliers and ignore risks related to suppliers further back in the supply chain. 

As a practical advice, it would be beneficial for organizations subject to the directive and their suppliers to examine and assess the cybersecurity requirements within NIS 2.  For many entities, this can pose a challenge, as the Commission and ENISA currently reference various ISO and IEC standards, the EU toolbox for 5G security, and the published guidance 'Good practice on supply chain security'. Although all of these are considered relevant for complying with the requirement on supply chain security, none of them are explicitly recognised as sufficient to comply with the provision.

However, when the supplier and the buyer have a satisfactory understanding of the supply chain requirement, it can be easier to negotiate a fair, balanced and effective contract. This enables the organisation to fulfil its obligations under Article 21 of the directive while still accommodating legal limitations. For instance, various legal obligations may impose restrictions on a supplier's ability to disclose information during a supply chain audit, such as information concerning national security, trade secrets, and other duties of confidentiality. Furthermore, GDPR restricts the sharing of personal data, and competition law restricts the sharing of commercially sensitive information, which may be relevant for certain suppliers operating on different levels in the market simultaneously. As such, the contracting parties should carefully negotiate the right to audit to comply with other regulatory requirements while still helping the organization assess the risk within its supply chain. 

Lastly, NIS 2 should be considered in the context of other legal acts from the EU regarding supply chain compliance. For instance, the Digital Operational Resilience Act ("DORA"), Cyber Resilience Act ("CRA"), Corporate Sustainability Due Diligence Directive ("CSDDD") and the AI Act all impose responsibilities on entities and their value chain. Consequently, it can be highly valuable for legal departments to conduct a thorough assessment of the relevant criteria found in these legal acts and seek to harmonise the risk-assessment as much as possible.