New Cybersecurity Management Obligations and Liabilities under NIS2 Directive

The Directive (EU) 2022/2555 on measures for a common level of cybersecurity across the Union (the “NIS2 Directive“) was published in December 2022 and entered into force on 16 January 2023. It repealed the previous Directive (EU) 2016/1148 on measures for a high common level of security of network and information systems across the Union, known as the “NIS Directive.”

The NIS2 Directive introduced additional cybersecurity risk management measures and reporting obligations compared to the NIS Directive. The purpose of the NIS2 Directive is to establish common cybersecurity requirements and the implementation of cybersecurity measures across the EU (European Union).

Obligations and Liability of Management Bodies

The NIS2 Directive provides for new obligations and liabilities at the management level to enhance cybersecurity. These new obligations necessitate cybersecurity awareness among the management of the entities concerned.

There are two categories of entities that fall within the scope of the NIS2 Directive: important and essential entities. A wide range of organizations and sectors, such as energy, transportation, healthcare, financial market infrastructures, drinking water, public administration, among others, have been included in the scope of the NIS2 Directive. By 17 April 2025, Member States shall establish a list of essential and important entities.

According to Article 20 of the NIS2 Directive, the management bodies of essential and important entities must approve the cybersecurity risk management measures taken within their entities. Management bodies are also responsible for overseeing the implementation of those measures. Failure to comply with these obligations may trigger the liability of the management bodies under the same Article.

Under the NIS2 Directive, management bodies are also required to familiarise themselves with cybersecurity and possess sufficient knowledge and skills to identify cyber-related risks and their impact. Article 21 of the NIS2 Directive mandates entities to adopt appropriate and proportionate technical, operational, and organisational measures to manage cyber risks and prevent or minimize the impact of cyber incidents on the recipients of their services and on other services.

These measures shall include at least the following:

1. Policies on risk analysis and information system security;
2. Incident handling;
3. Business continuity, including backup management and disaster recovery, and crisis management;
4. Supply chain security;
5. Security network and information systems acquisition, development, and maintenance, vulnerability handling, and disclosure;
6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
7. Basic cyber hygiene practices and cybersecurity training;
8. Policies and procedures regarding the use of cryptography and encryption;
9. Human resources security, access control policies, and asset management;
10. The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communications systems within the entity.

Reporting Obligations:

The NIS2 Directive requires covered entities to notify their Computer Security Incident Response Teams (CSIRT) or their competent authority of any significant incidents. Entities must also inform their customers about significant incidents that could potentially impact the provision of the respective services.

Additionally, the entities concerned must inform their customers of any significant cyber threats and the measures their customers can take to counter these threats.

The NIS2 Directive describes a significant incident as an incident that (i) has caused or may cause severe operational disruption of the service or financial loss for the entity concerned, or (ii) has affected or may affect other natural or legal persons by causing significant material or non-material damage.

Member States have until 17 October 2024 to adopt national laws transposing the Directive and must apply them from 18 October 2024. It is important to emphasize that the NIS2 Directive does not only apply to entities established in the EU, but also to entities established outside the EU that provide services in the EU.