Governing cybersecurity under the European Union’s NIS2 Directive
Over the years, we have witnessed many cyberattacks against various governmental institutions, state organisations and public infrastructure. Disruptions because of cyberattacks can have major consequences on the normal functioning of services as well as dire financial consequences.
The NIS2 Directive that came into force in 2023 is an EU-wide legislation on cybersecurity that provides legal measures to boost the overall level of cybersecurity in the EU. It requires the member states to be prepared and appropriately equipped with a Computer Security Incident Response Team and a competent national network and information systems (NIS) authority. It also connects the member states by setting up a cooperation group to support to facilitate strategic cooperation and the exchange of information among them. The legislation also encourages a culture of security across sectors that are vital for our economy and society and that rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure.
Compared to its previous version, the new NIS Directive eliminates the distinction between operators of essential services and digital service providers: entities are be classified based on their importance and divided into two categories: essential and important entities, which are subjected to different supervisory regimes. This means that all sectors and organisations coming under NIS2 are of great importance to communities within EU member states. It is understood that their disruption would cause serious harm to society if they were no longer able to execute their functions. Ultimately, the two categories were created to distinguish the fact that not all sectors impact society at the same scale in the event of an incident.
Member states must ensure that they carry out effective supervision to ensure compliance with the requirements of NIS2. Regarding essential entities, this implies proactive supervision. In contrast, it implies reactive supervision for important entities, which may be triggered by evidence, indication, or information that the entity allegedly does not comply with the Directive. Indeed, in the latter case, action should only be taken when, for a member state, it appears that an important entity does not comply with the obligations laid down in the Directive.
Under the first NIS Directive, a duty to report incidents that significantly impact service continuity was introduced. According to the Directive, an incident is said to occur when there is “any event with an actual detrimental effect on the security of network and information systems”. Security refers to ‘the ability of network and information systems to withstand actions that affect the availability, integrity, confidentiality, and authenticity of network and information systems with a certain degree of reliability’. To assess whether an incident has significant impact, the guideline describes several parameters to be considered, including the number of users affected, the duration of the incident, and the size of the geographical area affected by the incident.
The NIS2 Directive sets up a consistent framework for sanctions across the EU, by establishing a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations. These sanctions include binding instructions, implementing the recommendations of a security audit, bringing security measures in line with NIS requirements, and administrative fines. Concerning administrative penalties, the new NIS Directive distinguishes between essential and important entities. In Ireland, the State also has responsibility for dealing with the security of services provided by multinational companies across the EU that have their European headquarters located in Ireland.
Member states must provide the relevant authorities the ability to impose considerable fines. Regarding essential entities, the NIS2 Directive requires member states to provide for a certain level of administrative fines, notably a maximum of at least €10,000,000 or 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher. Concerning important entities, the NIS2 Directive requires member states to provide a maximum fine of at least €7,000,000, or at least 1.4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Cybersecurity is not just something delegated to the AI department, but a complex process that involves legislation, cooperation, technology and education in order to be able to withstand the challenges of the current and evolving cyberthreats. At ESET Ireland we believe that the first step should always be receiving adequate information about the latest threats, which we make regularly available at blog.eset.ie
T: 053 914 6600
E: hello@eset.ie
W: www.eset.ie