Tech Law Talks

Catherine Castaldo, Christian Leuthner and Asélle Ibraimova dive into the implications of the new Network and Information Security (NIS2) Directive, exploring its impact on cybersecurity compliance across the EU. They break down key changes, including expanded sector coverage, stricter reporting obligations and tougher penalties for noncompliance. Exploring how businesses can prepare for the evolving regulatory landscape, they share insights on risk management, incident response and best practices.

Transcript:

Intro: Hello, and welcome to Tech Law Talks, a podcast brought to you by Reed Smith's Emerging Technologies Group. In each episode of this podcast, we will discuss cutting-edge issues on technology, data, and the law. We will provide practical observations on a wide variety of technology and data topics to give you quick and actionable tips to address the issues you are dealing with every day. 

Catherine: Hi, and welcome to Tech Law Talks. My name is Catherine Castaldo, and I am a partner in the New York office in the Emerging Technologies Group, focusing on cybersecurity and privacy. And we have some big news with directives coming out of the EU for that very thing. So I'll turn it to Christian, who can introduce himself. 

Christian: Thanks, Catherine. So my name is Christian Leuthner. I'm a partner at the Reed Smith Frankfurt office, also in the Emerging Technologies Group, focusing on IT and data. And we have a third attorney on this podcast, our colleague, Asélle. 

Asélle: Thank you, Christian. Very pleased to join this podcast. I am counsel based in Reed Smith's London office, and I also am part of emerging technologies group and work on data protection, cybersecurity, and technology issues. 

Catherine: Great. As we previewed a moment ago, on October 17th, 2024, there was a deadline for the transposition of a new directive, commonly referred to as NIS2. And for those of our listeners who might be less familiar, would you tell us what NIS2 stands for and who is subject to it? 

Christian: Yeah, sure. So NIS2 stands for the Directive on Security of Network and Information Systems. And it is the second iteration of the EU's legal framework for enhancing the cybersecurity of critical infrastructures and digital services, it will replace what replaces the previous directive, which obviously is called NIS1, which was adopted in 2016, but had some limitations and gaps. So NIS2 applies to a wider range of entities that provide essential or important services to the society and the economy, such as energy, transport, health, banking, digital infrastructure, cloud computing, online marketplaces, and many, many more. It also covers public administrations and operators of electoral systems. Basically, anyone who relies on network and information systems to deliver their services and whose disruptions or compromise could have significant impacts on the public interest, security or rights of EU citizens and businesses will be in scope of NIS2. As you already said, Catherine, NIS2 had to be transposed into national member state law. So it's a directive, not a regulation, contrary to DORA, which we discussed the last time in our podcast. It had to be implemented into national law by October 17th, 2024. But most of the member states did not. So the EU Commission has now started investigations regarding the violations of the treaty of the functioning of the European Union against, I think, 23 member states as they have not yet implemented NIS2 into national law. 

Catherine: That's really comprehensive. Do you have any idea what the timeline is for the implementation? 

Christian: It depends on the state. So there are some states that have already comprehensive drafts. And those just need to go through the legislative process. In Germany, for example, we had a draft, but we have elections in a few weeks. And the current government just stated that they will not implement the law before that. And so after the election, the implementation law will be probably discussed again, redrafted. And so it'll take some time. It might be in the third quarter of this year. 

Catherine: Very interesting. We have a similar process. Sometimes it happens in the States where things get delayed. Well, what are some of the key components? 

Asélle: So, NIS2 focuses on cybersecurity measures, and we need to differentiate it from the usual cybersecurity measures that any organization thinks about in the usual way where they protect their data, their systems against cyber attacks or incidents. So the purpose of this legislation is to make sure there is no disruption to the economy or to others. And in that sense, the similar kind of notions apply. Organizations need to focus on ensuring availability, authenticity, integrity, confidentiality of data and protect their data and systems against all hazards. These notions are familiar to us also from the GDPR kind of framework. So there are 10 cybersecurity risk management measures that NIS2 talks about, and this is policies on risk analysis and information system security, incident handling, business continuity and crisis management, supply chain security. Security in systems acquisition, development, and maintenance, policies to assess the effectiveness of measures, basic cyber hygiene practices, and training, cryptography and encryption, human resources security training, use of multi-factor authentication. So these are familiar notions also. And it seems the general requirements are something that organizations will be familiar with. However, the European Commission in its NIS Investments Report of November 2023 has done research, a survey, and actually found that organizations that are subject to NIS2 didn't really even take these basic measures. Only 22% of those surveyed had third-party risk management in place, and only 48% of organizations had top management involved in approving cybersecurity risk policies and any type of training. And this reduces the general commitment of organizations to cybersecurity. So there are clearly gaps, and NAS2 is trying to focus on improving that. There are other couple of things that I wanted to mention that are different from NIS1 and are important. So as Christian said, essential entities are different, have different regime, compliance regime applied to them compared with important entities. Essential entities need to systematically document their compliance and be prepared for regular monitoring by regulators, including regular inspections by competent authorities, whereas important entities only are obliged to kind of be in touch and communicate with competent authorities in case of security incidents. And there is an important clarification in terms of the supply chain, these are the questions we receive from our clients. And the question is, does the supply chain mean anyone that provides services or products? And from our reading of the legislation, supply chain only relates to ICT products and ICT services. Of course, there is a proportionality principle employed in this legislation, as with usually most of the European legislation, and there is a size threshold. The legislation only applies to those organizations who exceed the medium threshold. And two more topics, and I'm sorry that I'm kind of taking over the conversation here, but I thought the self-identification point was important because in the view of the European Commission, the original NIS1 didn't cover the organizations it intended to cover and so in the European Commission's view, the requirements are so clear in terms of which entities it applies to, that organizations should be able to assess it and register, identify themselves with the relevant authorities by April this year. And the last point, digital infrastructure organizations, their nature is specifically kind of taken into consideration, their cross-border nature. And if they provide services in several member states, there is a mechanism for them to register with the competent authority where their main establishment is based, similar to the notion under the GDPR. 

Catherine: It sounds like, though, there's enough information in the directive itself without waiting for the member state implementation that companies who are subject to this rule could be well on their way to being compliant by just following those principles. 

Christian: That's correct. So even if the implementation international law is currently not happening. All of the member states, companies can already work to comply with NIS2. So once the law is implemented, they don't have to start from zero. NIS2 sets out the requirements that important and essential entities under NIS2 have to comply with. For example have a proper information security management system have supply chain management train their employees and so they can already work to implement NIS2 and the the directive itself also has an access that sets out the sectors and potential entities that might be in scope of NIS2 And the member states cannot really vary from those annexes. So if you are already in scope of NIS2 under the information that is in the directive itself, you can be sure that you would probably also have to comply with your national rules. There might be some gray areas where it's not fully clear if someone is in scope of NIS2 and those entities might want to wait for the national implementation. And it also can happen that the national implementation goes beyond the directive and covers sectors or entities that might not be in scope under the directive itself. And then of course they will have to work to implement the requirements then. I think a good starting point anyways is the existing security program that companies already hopefully have in place so if they for example have an ISO 27001 framework implemented it might be good to start but with a mapping exercise what NIS2 might require in addition to the ISO 27001. And then look if this should be implemented now or companies can wait for the national implementation. But it's recommended not to wait for the national implementation and don't do anything until then. 

Asélle: I agree with that, Christian. And I would like to point out that, in fact, digital infrastructure entities have very detailed requirements for compliance because there was an implementing regulation that basically specifies the cybersecurity requirements under NIS2. And just to clarify, perhaps digital infrastructure entities that I'm referring to are DNS service providers, TLD name, registries, cloud service providers, data centers. Content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines, social networking services, and trust service providers. So the implementing regulation is in fact binding and directly applicable in all member states. And the regulation is quite detailed and has specific requirements in relation to each cybersecurity measure. Importantly, it has detailed thresholds on when incidents should be reported, and we need to take into consideration that not any incident is reportable, only those incidents that are capable of causing significant disruption to the service or significant impact on the provision of the services. So please take that into consideration. And NISA also published implementing guidance, and it's 150 pages, just explaining what the implementing regulation means. And it's still a draft. The consultation ended on the 9th of January 2025, so there'll be further guidance on that. 

Catherine: Well, we can look forward to that. But I guess the next question would be, what are some of the risks for noncompliance? 

Christian: Noncompliance with NIS2 can have serious consequences for the entity's concern, both legal and non-legal. On the legal side, NIS2 empowers the national authorities to impose sanctions and penalties, breaches. They can range from warnings and orders to fines and injunctions. Depending on the severity and duration of the infringement. The sanctions can be up to 2% of the annual turnover or 10 million euros, whatever is higher for the essential entities, and up to 1.4% of the annual turnover or 7 million euros, whichever is higher for important entities. NIS2 also allows the national authorities to take corrective or preventive measures. They can suspend or restrict the provision of the services and take the or order the entities to take remedial actions or improve the security posture. So even if they have implemented security measures and the authorities understand or determine that they are not sufficient in light of the risk applicable to the entity, they can require them to implement other measures to increase the security. On the non-legal side, it's very similar to what we discussed in our DORA podcast. There can be civil liability if there is an incident, if a damage occurs. And of course, the reputational damage and loss of trust and confidence can be really, really severe for the entities if they have an incident. And it's huge because they did not comply with the NIS2 requirements. 

Asélle: I wanted to add that, unfortunately, with this piece of legislation, member states can add to the list of entities to which this legislation will apply. They can apply higher cybersecurity requirements, and because of the new criteria and new entities being added, it now applies to twice as many sectors as before. So quite a few organizations will need to review their policies, take cybersecurity measures. And it's helpful, as Christian mentioned, that, you know, NIS already mapped the cybersecurity measures against existing standards. It's on its website. I think it's super helpful. And it's likely that, the cybersecurity measures and the general risk assessment will be done by cybersecurity teams and risk compliance teams within organizations. However, legal will also need to be involved. And often policies, once drafted, they're reviewed by in-house legal teams. So it's essential that they all work together. It's also important to mention that there will be an impact on the due diligence and contracts with ICT product providers and ICT service providers. So the due diligence processes will need to be reviewed and enhanced and contracts drafted to ensure they will allow the organization, the recipients of the services to be compliant with NIS2. And maybe last point, just to cover off the UK, what's happening in the UK for those who also have operations there. It is clear now that the government will implement a version of NIS2. It's going to follow the European Union in its steps. And we recently were informed of a government page on the new cybersecurity and resilience bill. It's clear that it's going to be covering five sectors, transport, energy, drinking, water, health, and digital infrastructure. And digital services, very similar to NIS2, such as online marketplaces, online search engines, and cloud computing services. We are expecting the bill to be introduced to Parliament this year. 

Catherine: Wow, fantastic news. So it should be a busy cybersecurity season. If any of our listeners think that they need help and think that they may be subject to these rules, I'm sure my colleagues, Asélle and Christian, would be happy to help with the legal governance side of this cybersecurity compliance effort. So thank you very much for sharing all this information, and we'll talk soon. 

Outro: Tech Law Talks is a Reed Smith production. Our producers are Ali McCardell and Shannon Ryan. For more information about Reed Smith's emerging technologies practice, please email techlawtalks@reedsmith.com. You can find our podcasts on Spotify, Apple Podcasts, Google Podcasts, reedsmith.com and our social media accounts. 

Disclaimer: This podcast is provided for educational purposes. It does not constitute legal advice and is not intended to establish an attorney-client relationship, nor is it intended to suggest or establish standards of care applicable to particular lawyers in any given situation. Prior results do not guarantee a similar outcome. Any views, opinions, or comments made by any external guest speaker are not to be attributed to Reed Smith LLP or its individual lawyers. 

All rights reserved.

Transcript is auto-generated.