The NIS 2 Directive was adopted with the goal of updating and expanding the previously adopted NIS Directive. Its main characteristic is that it expands the scope of earlier NIS directive by including sectors such as the manufacturing of medical devices, electrical equipment and motor vehicles, as well as certain B2B ICT services, such as managed service providers and managed security service providers. It should be noted that the list of relevant sectors can be expanded by the Member States through the transposition process.
Compliance with the directive will require new assessments, as a single entity might be subject to the legislation of several Member States. It is especially significant having in mind that NIS 2 is not directly applicable but should be transposed into national law by the member states.
Entities will have short deadlines to notify authorities about significant incidents, with them being 24 hours for initial notifications. It should be noted that the NIS 2 directive has a very broad definition of significant incidents, defining those that have caused or have the potential to cause severe operational disruption of a service or a financial loss for the entity concerned, as well as those that have caused or have the potential to cause considerable material or non-material damage to natural legal persons.
Sanctions available to authorities for failing to comply with NIS 2 rules are very stringent and can go up to 10 million euros or 2% of the turnover of the entity. Finally, to ensure compliance with the directive, NIS 2 introduces the possibility of liability of management bodies of companies.
Prepared by,
Daniel Vujacic, LL.M. (UW)