NIS2 Directive in Luxembourg - What to expect?
The European Commission has published on 16 January 2023 the final text of the NIS2 Directive - high common level of cybersecurity across the Union, which means that by 17 October 2024 Luxembourg and other member states, must adopt and publish a national legislation incorporating the provisions of the NIS2.
Below are some key take-aways on what to expect from the NIS2 implementation.
Organizations in scope
NIS2 introduces a size-cap rule, increasing its scope to all medium and large-sized entities in 11 different sectors, specified in Annex 1 of the Directive, such as:
1. Energy
2. Transport
3. Banking
4. Financial market infrastructure
5. Health
6. Drinking water
7. Waste water
8. Digital infrastructure
9. ICT service management
10. Public administration
11. Space
Unlike NISD 1, NIS2 no longer mentions operators of essential services (OES) or digital services providers (DSPs). Instead it defines requirements for two new categories of entities; Essential and Important. The list of Essential and Important entities will be kept by the European Union Agency for Cybersecurity (ENISA).
New cyber security requirements
NIS2 details cyber risk measures that need to put in place. The requirements are different for Essential and Important entities. While essential services should have an ex-ante supervisory regime (e.g., on-site inspections and off-site supervision, random checks, audits and requests for evidence of implementation of cybersecurity policies) important entities are not systematically required to document compliance with cybersecurity risk management requirements.
Both Essential and Important entities shall take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of their network and information systems. In practice, it means that the entities in scope should:
- Review and reinforce information system security policies;
- Set up incident handling process;
- Ensure business continuity and proper crisis management;
- Address risks steaming from an entity’s supply chain;
- Manage security of network and information systems;
- Review policies and procedures for cybersecurity risk management;
- Reinforce the use of cryptography and encryption.
Incident reporting
NIS2 also amends incident reporting requirements and imposes notification obligations in phases:
Higher fines for non-compliance
Administrative fines of up to 10 million EUR or 2% of the total global annual turnover of the company can be levied for non-compliance with the Directive. In addition to the fines, penalties can include binding instructions to bring security measures in line with NIS2 requirements as well to implement the recommendations of a security audit. In case of significant cyber threat is likely the entities can be also requested to inform their service recipients of the threat itself. Least but not last, the NIS2 makes it possible to hold natural persons representing Essential Entities liable for a breach of their duties to ensure compliance with the Directive.
How can Deloitte help
Deloitte can help to create a roadmap for implementation of compliance measures for risk management, aligning it with other applicable regulations applicable to your organization.
