On October 17, 2024, the implementation deadline of the NIS2 directive will be upon us. While the implications of NIS2 beyond Europe are not as broad as GDPR, the directive does in some instances exert extraterritorial jurisdiction. To help your organisation navigate the path to compliance, this blog sheds a light on the implications of NIS2 in Europe and beyond.
The arrival of NIS2 is only 8 months away. With significantly enhanced requirements for cybersecurity management which extends across the supply chain, increased reporting obligations, and personal liability for senior management, working out whether your organisation is in the scope of NIS2 isn’t something to take lightly.
As the NIS2 directive aims at improving the resilience and incident response capacities of both the public and private sector and the European Union as a whole, the impact of the revised directive extends across the borders of the EU (European Union). Let’s have a look at how NIS2 is shaping the future of cybersecurity globally.
Cybersecurity knows no borders
Like GDPR, NIS2 has global ramifications. International organisations that have offices in the EU are also subject to this new directive. When present in multiple EU member states, the location of the main establishment determines which member state jurisdiction the organisation falls under.
Furthermore, NIS2 also impacts all entities that provide essential or important services to the European economy and society. Companies and suppliers that fit the specific categories are expected to comply with NIS2 when conducting business with European organisations, regardless of whether they are based within or outside of the EU.
It is also worth noting the rules on jurisdiction and territoriality as described in article 26 of the directive. This article deals with determining under which member state jurisdiction an in-scope organisation falls. Important as each member state may interpret and implement the NIS2 directive differently and is permitted to exceed its baseline standards when implementing NIS2 obligations in national law.
Article 26 stipulates that organisations located outside of the European Union must appoint a representative in one of the EU member states where they are offering services. Subsequently, the organisation is considered to fall under the jurisdiction of the member state where the representative is established. In the absence of a representative, any member state in which the organisation provides services may take legal actions against infringement of the directive.
Sanctions and penalties for non-compliance
Under the final limb of the scope criteria, NIS2 will apply only to those entities who provide services or undertake activities in the European Union. Meaning that for a global organisation with subsidiaries within the EU, NIS2 only punishes the individual entities that are physically providing services or undertaking activities in the European Union.
However, as part of broader obligations on in-scope entities, cyber risk management requirements will apply to the entire supply chain. As a result, parent companies outside of the European Union may still be punished when the European entity is not compliant.
Organisations that are subject to non-compliance will be sanctioned and penalised. An essential organisation, for example, can be fined a maximum of 10 million euro or 2% of their global turnover when not complying with NIS2. An important entity can face a fine of up to 7 million euros or 1.4% or its global annual turnover. Besides, breaches of NIS2 also expose senior management to personal liability.
We are finding many customers have yet to start their NIS2 programme, with many citing the lack of local legislation as a reason to hold off. Remember, NIS2 is the minimum threshold, anything that comes in the local government legislation will be additive. Our advice is not to wait, start your program now, knowing that what has been published is your initial target.
Whitepaper: Are You Ready for NIS2?
Kick Start Your Journey Towards NIS2 Compliance
To take your first step towards NIS2 compliance, we have composed a whitepaper to help you gain a greater understanding of the NIS2 regulations. Dive into why the upcoming directive is relevant to your organisation and what are the first steps you should be taking.
How CWSI can help you with NIS2 in Europe
When it comes to NIS2, you need an experienced partner.
For over a decade, CWSI has played a pivotal role in empowering clients to thrive amidst the ever-changing landscape of threats. Our seasoned team of security professionals has extensive expertise and implements effective security protocols derived from our in-depth understanding of the forthcoming NIS2 Directive.
CWSI is ready to assist you in determining whether your organisation falls under the purview of the NIS2 Directive. We can evaluate your readiness for each crucial aspect, providing tailored insights and a roadmap to achieve compliance.
With three Microsoft Security Specializations in Identity and Access Management, Information Protection and Governance, and Threat Protection, CWSI stands as a recognized authority in key NIS2 domains: Identity, Data Governance, Security Threat Protection and Response, Education and Awareness, and Security Policy.
Our dedicated professionals and their expertise are pivotal in bridging the security gap between your current state and NIS2 compliance for your business.
Contact us
Get in contact today to begin your journey to NIS2 compliance.
