In today’s interconnected world, a robust cybersecurity posture is not just a regulatory requirement but a critical component of business strategy, especially for financial services firms and fintech companies. With our reliance on digital platforms, the broadening of the attack surface and the ever-increasing sophistication of threat actors, regulators will continue to pay particular attention to cybersecurity compliance.
The Network and Information Systems (NIS) 2 Directive aims to enhance the level of cybersecurity across EU essential and important entities. NIS2 works in tandem with other EU cybersecurity regulations, including the Digital Operational Resilience Act (DORA), discussed further below, the Cyber Resilience Act and GDPR.
Background NIS2
NIS2 builds capabilities across the EU to mitigate threats to network and information systems used to provide essential services in key sectors (covering everything from the supply of safe drinking water and reliable energy supplies to our transport networks); it is designed to ensure the continuity of these essential services in the face of security incidents, to ultimately contribute to the effective functioning of the EU single market.
After entering into force on January 16, 2023, NIS2 is due to be transposed into national law across all 27 EU member states by October 2024. It builds upon (and replaces) the original NIS Directive (implemented in May 2018) by expanding the scope of companies who are subject to the legislation and introducing stricter requirements for incident reporting and cyber risk management.
Who does NIS2 apply to?
NIS2 covers a broader range of sectors, including:
- financial market infrastructures (trading venues and central counterparties),
- banking (credit institutions),
- energy (including the supply of electricity, oil, gas and hydrogen),
- transport and aerospace,
- healthcare and the pharmaceutical industry,
- water supply and distribution (drinking water and waste water),
- digital infrastructure and ICT managed services,
- and public administrators (central and local government).
Annex II sweeps in “other critical sectors” which include postal and courier services, waste management, wholesale or industrial-scale food processing and distribution, some manufacturing activities and certain digital service providers.
However, in order to fall within the remit of NIS2, the entities must provide their services in the EU, fall within one (or more) of the categories set out in the Annexures and meet the thresholds determined by the Directive (in basic terms have 250 employees or more, an annual turnover of €50m ($55m), and/or an annual balance sheet of €43m ($47m).
There are some exceptions to the threshold rules – for example where the entity in question is the sole provider (in that member state) of a critical service, or where it is specifically designated as an “important entity” by the competent authorities, and finally some entities which are automatically designated regardless of size (such as qualified trust service providers and top-level domain name registries).
By April 17, 2025, each member state will have to “establish” a list of essential and important entities (and keep that list up to date). Importantly the Directive does not require this list to be “published” but we anticipate that competent authorities will make contact with entities which they believe to be in-scope. (Please note that assessing whether or not your organization is an “essential” or an “important” entity – or indeed to challenge a designation – may require detailed analysis and legal advice).
Reporting security incidents
Organizations in scope must provide early warning of significant incidents as soon as possible, but no later than 24 hours after becoming aware of the event. The principle here is that local competent authorities (and the national CSIRTs established under NIS2) are able to share intelligence on material cyber security events which may have cross border impact – a little like putting up a flare or making a smoke signal. The affected entities must then provide a more detailed notification within 72-hours.
This notification should include an initial assessment of the incident, its severity, its impact on critical services as well as (if possible) any indicators of compromise – again this information can be used by local agencies and CSIRTs to (hopefully) share intelligence and enable other entities, organisations and public sector bodies to shore up their defences and mitigate against the risk of contagion.
Note that where the “incident” also effects the availability, confidentiality or integrity of personal data, it will likely be notifiable under GDPR as well.
It is worth noting that EU member states (and their CSIRTs) will also issue guidance on reporting “near misses” – unless implemented in a proportionate manner, these requirements may impose a significant administrative burden on critical or important entities.
Cybersecurity measures
NIS2 mandates that essential and important entities implement and maintain comprehensive risk management measures (including regular cybersecurity assessments) and implement “appropriate and proportionate” technical and organisational measures.
It is important to note that the Directive is “outcomes” focused and does not prescribe the specific measures to be taken, but it does provide some guidance (see Article 21). The onus will be on essential and important entities to demonstrate that the steps they have taken to safeguard their networks and IT (and OT) infrastructure are commensurate with the risks posed to their operations and provision of services, to prevent incidents (or minimise the impacts of those incidents on the recipients of their services (whether those services are received directly from the entity or indirectly – for example, through an intermediary or another service provider).
The recitals of the Directive refer to EU and international standards (such as ISO/IEC 27001) and whilst they can be used as a benchmark for good practice, they are not mandated (and indeed having an ISO/IEC certification will not serve as a total absolution of responsibility).
It is important to note that these “measures” are not limited to logical security controls but extend to the security of physical infrastructure (such as servers, routers, cabling and other hardware components) and also to ensuring that measures are taken to protect against not just cyber-attacks, but also to ensure continuity of service in the face of natural disasters (fire, flood, earthquake), failures in telecommunications systems, sabotage and human error. In short NIS 2 requires an all-risks approach, and providers of essential services will not be able to use Force Majeure as a get-out-of-jail free card.
Overlap with DORA
The overlaps between DORA and NIS2 have created some concern and uncertainty in the market – noting that “Sectors of High Criticality” in NIS2 includes credit institutions, operators of trading venues, and central counterparties which are all within the scope of the Article 2 of DORA. However, to address this the European Commission has issued Guidelines which explicitly state that DORA has priority over NIS2 provisions in respect of ICT risk management, cyber incident reporting, digital operational resilience testing, information-sharing, ICT third-party risk, supervision and enforcement, inter alia.
It is also worth noting that NIS2 (as a Directive) will require implementation in each EU member state whereas DORA will apply directly to (and will be enforceable directly on) in-scope financial entities. As such any entities which fall within the scope of both NIS2 and DORA, should seek advice noting that some conglomerates may have entities which fall within scope of one or the other (or both!)
Implications for UK/US stakeholders
For UK and US stakeholders which provide qualifying services in the EU, compliance with the NIS 2 Directive is essential. Failure to comply can result in significant fines (up to €10m ($11m) or 2% of annual worldwide turnover), personal liability for management bodies, and reputational damage. In extreme circumstances, member states may impose criminal penalties under national rules transposing NIS2.
US companies must navigate the complexities of aligning their cybersecurity practices with both EU, UK (by the UK’s Cyber Security and Resilience Bill) and US regulations, such as those enforced by a slew of regulators (including the SEC, FDIC, OCC, the Federal Reserve and FINRA) and under HIPAA in respect of healthcare records.
There is an added complexity (and administrative burden) for UK operators of essential services – post Brexit they may find that they are subject to the rules under the Network and Information Systems Regulations 2018 (which implemented the original NISD) as well as those under NIS 2 in respect of their European operations.
Managing supply chain risk
When considering cybersecurity controls, essential and important entities should not limit themselves to their own enterprise but must carefully consider their exposure to threats and vulnerabilities which might be introduced by their supply chain partners, vendors, and affiliates. Some of the most crippling incidents and outages affecting financial services, the energy sector, transport and aviation, and healthcare have resulted from security lapses in the supply chain.
To mitigate such risks, companies should regularly assess (and test) the cybersecurity practices, processes and procedures of their supply chain partners to identify (and address) vulnerabilities that might have an impact on the provision of essential services. It is vital that contracts with suppliers and vendors contain robust cybersecurity requirements and that those requirements are regularly stress tested against a range of severe but plausible scenarios).
Under DORA (for example) there is a requirement for firms to run threat-led penetration testing, and it is not uncommon for companies in critical sectors to insist on running periodic red/blue team exercises with critical partners (but these have to be followed by a clear remediation plan to promptly address any vulnerabilities).
Conclusions
Cybersecurity compliance under EU legislation (and in an increasingly interconnected world) is a complex but essential aspect of business strategy for UK and US businesses.
By understanding the requirements of NIS2, DORA (and other applicable laws and regulations) and aligning their practices accordingly, financial sector entities can enhance their cybersecurity posture, help protect critical infrastructure, and maintain the trust of their clients, customer and partners.
Craig Rogers, is a partner in the London office. He advises on complex IT and outsourcing arrangements. Robbert Santifort is a principal associate and specializes in IP/IT and Data Privacy law. Felix Schulte-Strathaus is an associate solicitor in the Commercial (technology) team.