NIS2: Fines and Implications Explained

The Network and Internet Security Directive (EU) 2022/2555, generally referred to as NIS2, is a comprehensive piece of EU law aiming at improving cybersecurity throughout Europe. Starting from January 16, 2023, when the Directive became effective, EU Member States will have a period of 21 months to incorporate the Directive’s provisions into their national laws. It is required that all EU countries adhere to the new regulations from October 18, 2024, and add legal measures aimed at improving cybersecurity standards for both public and private sector entities.

If your business provides essential or important (we will get to this later) services to the European economy and society, this directive is likely to affect you, so It’s critical to understand how NIS2 Directive may impact your present cybersecurity posture. To prevent the severe penalties of non-compliance, you must formulate a clear compliance approach and strategy, as this directive is about more than just avoiding fines and penalties; NIS2 requires stronger oversight and enforcement and personal accountability for higher management.

For an in-depth look at NIS2 from the perspective of which organizations are in scope, details of the different industry sectors and what you need to do to make your business compliant with NIS2 see our article here. In this article we’ll look at the fines and other non-financial burdens that can be levied against your business if you don’t take NIS2 seriously.  

The original NIS legislation was formed in response to concerns about cybersecurity and a changing threat landscape, and events in recent years (the COVID-19 pandemic, Russia’s invasion of Ukraine, and a continuing increase in different types of cyber-attacks) have prompted the EU to expand and strengthen the original Directive, resulting in NIS2.

The impact of this new Directive could be as significant as GDPR, so you need to be aware of the upcoming requirements. NIS2 is designed to address these shortcomings through national cybersecurity strategies, enhanced cooperation and information sharing between Member States, increased risk management and incident reporting obligations, and stricter regulatory supervision and enforcement. 

Where GDPR is concerned with the protection of personal data and privacy rights, NIS2 is focused on the security and resiliency of networks and information systems, particularly at organizations that are critical for the functioning of modern society.  

The 2016 Directive defined two types of organization:

1. Essential services such as energy, transport, water and healthcare providers.
2. Digital service providers, e.g. online marketplaces, cloud computing services, and search engines.

Businesses that fell into either category had to comply with the following 3 requirements:

1. Take appropriate security measures to protect themselves from cyber threats.
2. Report any incidents that had a significant impact on operations.
3. Notify relevant authorities in the event of major incidents.

In the initial legislation, it was up to EU Member States to decide the types of businesses that had to comply with NIS, but NIS2 has renamed the categories to ‘essential entities’ and ‘important entities’, and is more specific about the types of businesses that fall into each category.

NIS2 applies to both EU-based organizations and organizations based elsewhere that provide their services within the region. EU Member States must maintain an up-to-date list of all essential and important entities operating within their jurisdiction.

Essential entities include:

• Energy providers
• Transport companies
• Banking and financial market infrastructure
• Healthcare and pharmaceutical manufacturers
• Drinking water and wastewater infrastructure
• Public administration
• ICT services
• Digital infrastructure, including cloud service providers, data centers, domain name systems (DNS), and public communication networks

Important entities include:

• Postal and courier services
• Waste management
• Chemical manufacturing
• Food production and processing services
• Production of electronics, machinery, and motor vehicles
• Online marketplaces, search engines, and social networking sites
• Higher education and research institutions

Note:

An entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases such as when it is the sole provider of a critical service for societal or economic activity in a Member State.

While NIS2 brings numerous benefits, it also presents challenges of implementation and compliance. This will prove difficult for some organizations, especially those that are smaller as they will likely struggle to come up with the resources needed to meet the new requirements that have been set by the directive. The NIS2 Directive outlines distinct repercussions for non-compliance, comprising both Monetary and Non-Monetary penalties, and possible Criminal Sanctions.

How smaller organizations are affected

For non-monetary consequences, NIS2 empowers national supervisory authorities with the jurisdiction to impose non-monetary penalties, including:

• Binding instructions 
• Security audit implementation orders  
• Threat notification orders to entities’ customers 
• Compliance orders 

If your business is in scope for NIS2 you should also consider the additional non-financial consequences of a significant cyber security breach, and the resultant fall out. Depending on the type of attack, and the lack of or failure of security controls that led to a successful breach, your customers, partners and investors can lose their trust of your business. Customers might hesitate to buy from you, partners might look elsewhere for more reliable suppliers or connections and investors may withdraw their support.  

The resulting reputational damage is also hard to quantify, but definitely something to include in your risk management planning. It’s also likely that other organizations will minimize their own risks by only working with businesses that demonstrate NIS2 compliance, and thus it might become a competitive disadvantage to not take compliance seriously. You might even find it difficult to hire top talent for your IT or cyber security team if you’re known for your lax security practices.  

In terms of administrative fines, the NIS2 directive makes a clear distinction between essential and important organizations.

In the case of essential entities, Member States are mandated to stipulate a maximum fine threshold, set at a minimum of €10,000,000 or 2% of the global annual revenue, whichever amount is higher.

For important entities, NIS2 dictates that Member States impose fines up to a maximum of €7,000,000 or 1.4% of the global annual revenue, choosing the higher of the two values. This distinction underscores the graduated approach to penalties based on the classification of entities. It’s also worth noting that there are many important entities that are new to being in scope of NIS2, and for smaller organizations the task of achieving compliance might seem daunting.

And these smaller businesses (as well as larger enterprises) are also going to have to put serious effort into making sure their cyber security practices are prepared for a NIS2 audit, all of which costs time, staff focus and financial resources. The cost of improving cyber security to comply with a specific regulation, especially for an SME, must be taken into account when budgeting, especially if the organization has a lot of change of their processes and systems ahead of them to achieve the required standard of cyber security defense.  

To reduce the burden on IT departments tasked with shouldering sole responsibility for organizational security and to shift the perception of cybersecurity accountability, NIS2 introduces novel measures that place personal liability on top management in cases of gross negligence following a security breach.

NIS2 specifically enables authorities to hold management executives personally liable if gross negligence is shown in the wake of a cyber catastrophe. This authority includes:

• Organizations must report violations of compliance publicly.
• Making public comments that identify the natural and legal person(s) accountable for the offense and explain its nature.
• In the case of an essential entity, temporarily prohibiting an individual from acquiring management roles and responsibilities in the event of repeated violations. 

In the event of a breach or incident, organizations must follow a 3-step reporting procedure:

1. They must give the relevant authority a ‘first early warning’ within 24 hours of the discovery of an incident.
2. The affected organization must then provide a more formal incident notification within 72 hours.
3. A final report must be given a month after the formal incident notification, and the organization must respond to any requests for status updates and provide progress reports if asked to do so.

An incident under NIS2 could also be considered a breach under GDPR, in which case NIS2 will not impose a monetary fine for that same incident. However, NIS2 may impose other non-financial penalties for the same incident.

Until your region puts NIS2 into law, you don’t have to take any specific actions. However, many of the security measures set out in NIS2 are actions you should be taking anyway, to protect your business-critical data. These include:

• Conducting an audit of your data. It’s not just stored on traditional servers now; you need to know exactly which cloud services and Software-as-a-Service (SaaS) apps are being used to store and process your business data.
• Regularly review your existing cybersecurity tools and strategies, and ensure compliance is in place is in place before a breach occurs.
• Encrypting data, both in transit and at rest.
• Having a reliable backup solution in place for all your data, including data you store on SaaS applications.
• Having a comprehensive Disaster Recovery and Business Continuity strategy, and in the event of the company’s email compromise, testing it regularly.
• Ensuring all staff receive cybersecurity and awareness training, including continuous refresher sessions
• Access controls like zero trust, role-based access control (RBAC), permission management, and multi-factor authentication (MFA)

Cybersecurity is not a one-time effort. Cyber threats are ever evolving and pose a constant challenge for organizations striving to maintain strong cybersecurity defenses. New attack techniques, vulnerabilities, and malicious actors are continuously emerging, which means companies must prioritize continuous preparedness. NIS2 sets the new normal that every modern company should adopt to securely operate in today’s hyper-connected world. NIS2 compliance isn’t just about avoiding fines; it’s about securing your company’s future in this cyberwarfare digital age.

Why delay? Act today and avoid becoming a cyber-attack statistic.