Navigating NIS2 – considerations for businesses

15 August 2024

In January 2023, the European Union adopted a new version of the Network and Information Security Directive (NIS2), setting out four overarching control areas of risk management, corporate accountability, reporting obligations and business continuity. It also includes the addition of 10 minimum measures to implement an effective cybersecurity baseline. The aim of NIS2 is to increase the level of cybersecurity and resilience within critical organisations and their entire network of interconnected systems, including third parties across the European Union. The directive is set to be transposed into the national laws of member states by 17 October 2024. 

Although the UK is not directly implementing NIS2, businesses that operate across the EU or are suppliers of businesses that fall under its scope are likely to see requirements being passed on to them. Additionally, we expect the UK will seek adequacy against NIS2 and will make changes to existing cybersecurity laws. These changes may include expanding the scope of applicable industries, broadening the scope of managed service provider services, incorporating more supply chain security-related policies and increasing incident reporting obligations. 

NIS2 applicability

NIS2 applies to all entities providing essential or important services to the European economy and society, including both companies and suppliers.

Essential Entities 

(varies by sector, but generally 250 employees, annual turnover of €50m or balance sheet of €43m)

 Important Entities

(varies by sector, but generally 50 employees, annual turnover of €10m or balance sheet of €10m)

 Energy  Postal services
 Transport  Waste management
 Finance  Chemicals
 Public administration  Research
 Health  Foods
 Space  Manufacturing (eg medical devices and other equipment)
 Water supply (drinking and wastewater)  Digital providers (eg social networks, search engines, and online marketplaces)
 Digital infrastructure (eg cloud computing service providers and ICT management)  All sectors under ‘essential entities’ and within the size threshold for ‘important entities’

Supervision

To ensure compliance with NIS2, competent authorities will have new powers. These include:

  • conducting on-site inspections and off-site supervision, which could also include random checks;
  • ad hoc, regular and targeted security audits;
  • security scans; and
  • requests for information and access to data and evidence of implementation of cyber security policies.

Penalties

The requirements vary based on an entity’s designation, but regardless, the penalties for non-compliance are severe.

  • Directors and management can be held personally liable for failures in implementation, with various offences attracting criminal penalties including fines and/or possible imprisonment.
  • Fines can reach up to €10m or 2% of total turnover (for essential entities) or €7m or 1.4% of total turnover (for important entities).
  • Regulators may suspend business operations if necessary for network security.

How we can help

Applicable organisations must take steps to prepare for compliance. Below are the steps we can assist you with.

  • Implementation plan
  • Organisation assessment
  • Self-reporting mechanisms

Implementation plan

Organisation assessment

Self-reporting mechanisms

If you would like further information on any of the topics discussed above, please contact Stuart Leach, Sheila Pancholi or your usual RSM contact.

Cyber Security

Our latest report reveals how middle market businesses are navigating cyber security threats.