NIS 2: The Directive for a common level of Cyber Security

NIS 2: The Directive for a common level of Cyber Security

NIS 2: the Directive For a Common Level of Cyber Security

On 18 October 2024, Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union (“NIS 2”) will be received into our legal system. While waiting for the Directive to be transposed into our legal system and for the principles expressed therein to be expressed in specific obligations by each Member State, we highlight the main elements below.

THE PURPOSE

NIS 2, which stands for Network and Information Security, aims to enhance the security of network and information systems across the European Union by standardizing the regulations set by individual member states.

The European Union has introduced NIS 2 to replace NIS 1 (EU Directive 2016/1148 of 6 July 2016, transposed in Italy by Legislative Decree No. 65 of 18 May 2018). The primary objective of NIS 2 is to counter cyber threats more effectively across the digital landscape. This objective becomes even more significant in cases where the threat can potentially impact critical or particularly sensitive sectors, the disruption of which could cause significant damage.

THE RECIPIENTS

Distinct into the categories of “essential” and “important” subjects, operators active in the following sectors are included within the NIS 2 regulations:

  • energy;
  • transport;
  • banking and financial market infrastructure;
  • healthcare;
  • drinking water and waste water;
  • digital infrastructures;
  • ICT, public administration and space services.

In addition, with NIS 2 the European legislator also includes additional active operators in the following critical areas:

  • postal and courier services;
  • waste management;
  • manufacture, production and distribution of chemicals;
  • manufacture, processing and distribution of foodstuffs;
  • manufacture of computers, electrical equipment, medical devices and in-vitro diagnostic medical devices;
  • digital service providers;
  • research organizations.

THE COMPETENT AUTHORITIES

It will be the responsibility of each Member State to designate or establish one or more competent authorities responsible for cyber security and with a supervisory role.

THE SANCTIONS

A penalty system is envisaged for the essential and important players in the form of administrative fines “equal to a maximum of at least EUR 10,000,000 or a maximum of at least 2% of the total annual worldwide turnover for the preceding financial year of the undertaking to which the essential player belongs, whichever amount is higher“.

***

We remain at your disposal for any clarification.