In dit artikel over de Netwerk- en Informatiesystemenrichtlijn (NIS2-richtlijn) bespreken we de belangrijke cybersecurityverplichtingen voor een breed scala aan organisaties en de eerste deadlines voor naleving, die snel dichterbij komen. De NIS2-richtlijn is bedoeld om de cyberweerbaarheid binnen de Europese Unie te versterken door strenge eisen op te leggen aan entiteiten die onder de richtlijn vallen. De NIS2-richtlijn richt zich expliciet op fabrikanten van medische hulpmiddelen, farmaceutische bedrijven, organisaties die betrokken zijn bij klinisch onderzoek en andere belanghebbenden in de life sciences-sector. Dit artikel gaat door in de oorspronkelijke Engelstalige versie.
Although the transposition deadline of October 17, 2024, has passed, many EU member states have yet to incorporate the NIS2 Directive into their national legal frameworks. Despite these delays, the Directive mandates that member states compile a list of in-scope entities by April 17, 2025. To facilitate this, entities falling within the scope of the directive will be required to provide specific information to the competent authorities, including details about the relevant sector and subsector of their activities subject to the NIS2 Directive.
Given these imminent requirements, in-scope entities must take proactive steps to prepare for compliance. Below, we outline the key actions organisations should undertake to initiate their compliance journey and ensure all necessary measures are in place.
Jurisdiction Under the NIS2 Directive: Which Rules Apply to In-Scope Entities?
Identifying whether an organisation falls within the scope of the NIS2 Directive is only part of the compliance process. It is equally important to determine the jurisdictional framework that governs the entity, as the directive establishes a minimum level of harmonisation across EU member states, leaving room for national discretion during transposition. For example, member states may expand the categories of "important" and "essential" entities, impose additional requirements not explicitly outlined in the directive, and detail the obligations applicable within their jurisdiction.
To ensure compliance, it is crucial for in-scope entities to identify the member state(s) whose laws apply and to determine the competent NIS2 authority for their operations.
The General Rule: Jurisdiction by Establishment
Under Article 26(1) of the NIS2 Directive, entities are subject to the jurisdiction of the member state in which they are established. For organisations operating in multiple member states, this means they may fall under the concurrent jurisdiction of each state where they have an establishment. In the case of a corporate group with multiple entities across the EU, each entity must comply with the national transposition law of the member state where it is established.
The "One-Stop-Shop" Mechanism
To simplify compliance for certain organisations, the NIS2 Directive introduces the "one-stop-shop" mechanism. This exception applies to specific categories of entities – including cloud computing service providers, data center service providers, content delivery network providers, managed service providers, and managed security service providers – allowing them to align with the laws of a single jurisdiction, even if they operate in multiple member states.
According to Article 26(1)(b), such entities are subject to the jurisdiction of the member state where their "main establishment" is located. The main establishment is defined as the member state where the entity’s decisions regarding cybersecurity risk-management measures are predominantly made. If this cannot be determined, the jurisdiction is based on where the entity’s cybersecurity operations are conducted. If neither of these criteria can be satisfied, the determining factor is the member state where the entity employs the largest number of personnel in the European Union.
Relevance to the Life Sciences Sector
Although stakeholders in the life sciences sector are not explicitly included among the entities eligible for the "one-stop-shop" mechanism, they may still fall under its scope if their business activities align with one of the specified categories—most notably, cloud computing service providers. Life sciences companies that provide or rely on such services should carefully evaluate whether their compliance obligations might be indirectly affected by these provisions.
National Registration for In-Scope Entities
Under Article 3 of the NIS2 Directive, member states are required to compile a list of essential entities, important entities, and entities providing domain name registration services. Member states must then notify the European Commission and the Cooperation Group of the total number of these entities, along with relevant information. To create this list, member states will require in-scope entities to provide a range of information, including:
- The entity's name;
- Its address and up-to-date contact details, such as email addresses, IP ranges, and telephone numbers;
- The relevant sector and subsector of its activities; and
- A list of the member states where it provides services that fall within the scope of the NIS2 Directive.
To facilitate this process, member states will establish a designated national mechanism through which entities can register and submit the required information to the competent authority.
Deadlines for Registration
As noted earlier, the NIS2 Directive sets April 17, 2025, as the deadline for member states to finalise and submit their lists of in-scope entities to the European Commission. To meet this deadline, member states are expected to set earlier registration deadlines for entities. For example:
- Italian entities must register by February 28, 2025.
- Belgian entities must register by March 18, 2025.
Additionally, certain categories of entities – including cloud computing service providers – face an accelerated deadline of January 17, 2025, under Article 27 of the NIS2 Directive. Member states may impose even stricter timelines.
Challenges for Entities in Member States Without Transposition
For entities operating in member states that have not yet transposed the NIS2 Directive into national law, the registration process may remain unclear. In such cases, organisations should refer to any draft transposition acts or preliminary guidance that may be available.
Even in the absence of specific national procedures, it is advisable for in-scope entities to begin preparing based on the NIS2 Directive’s requirements. This preparation includes gathering the necessary information and ensuring readiness to comply as soon as the national mechanism is established. Once the transposition acts are adopted, the registration timeline is likely to be tight, and organisations should be ready to act promptly.
Main Obligations Under the NIS2 Directive
The NIS2 Directive, much like the General Data Protection Regulation (EU) 2016/679 ("GDPR"), adopts a risk-based approach to cybersecurity compliance. This approach tailors the implementation of specific obligations based on the specific risks posed by an organisation’s operations and circumstances. As a result, it is not possible to prescribe a universal set of measures applicable to all in-scope entities.
The obligations under the NIS2 Directive will take effect gradually, in accordance with national transposition acts. For example, the Italian transposition decree stipulates that the obligation to notify significant incidents will apply nine months after notification of inclusion in the list of essential or important entities by the competent authority.
Other obligations will become enforceable 18 months after notification, roughly around October 2026.
While these deadlines may seem distant, the scale and complexity of these obligations necessitate early preparation.
To ensure compliance, in-scope entities should undertake a comprehensive cybersecurity audit and a risk assessment to identify vulnerabilities and design measures tailored to their specific risks. Below are the key steps organizations should take:
Risk Assessment
A thorough risk assessment is the cornerstone of NIS2 compliance. In-scope entities should analyse their internal operations and information systems to:
- Map critical operations – Identify processes and services tied to critical network and information systems that underpin the organisation’s operations;
- Identify and assess risks – Evaluate potential threats to these systems, including data breaches, ransomware attacks, and service disruptions, and assess vulnerabilities in current processes or technologies. The assessment should also consider the likelihood and impact of such incidents on business operations and stakeholders;
- Comprehensive Cybersecurity Audit – Audit the existing cybersecurity measures to evaluate their effectiveness and alignment with NIS2 requirements. This audit should cover technical, organisational, and operational measures. Particular attention should be given to employee cybersecurity training programs and incident response procedures to ensure prompt and effective action in the event of a cybersecurity incident;
- Supply Chain Cybersecurity Assessment – The NIS2 Directive imposes specific obligations to manage cybersecurity risks across the supply chain. In-scope entities need to conduct a comprehensive assessment of third-party providers to ensure that they meet stringent cybersecurity standards.
Gap Analysis and Implementation Plan
Based on the findings from the risk assessment and cybersecurity audit, entities should conduct a gap analysis to identify shortcomings and design an implementation plan to address them. The plan should:
- Establish a cybersecurity risk management framework – Develop and implement policies, procedures, and technical measures to meet the requirements of Article 21 of the NIS2 Directive. This includes drafting access control policies, asset management frameworks, and business continuity measures to mitigate operational disruptions caused by cyberattacks;
- Leverage certified ICT products – Evaluate the use of ICT products and services certified under European cybersecurity certification schemes, as outlined in Article 24 of the NIS2 Directive;
- Enhance supply chain security – Where deficiencies are identified, establish corrective measures, including implementing cyber due diligence measures and updating supplier contracts to ensure robust cybersecurity measures are applied throughout the supply chain;
- Prepare for incident notification – Implement robust systems to detect and report significant incidents within the 24-hour deadline mandated by Article 22 of the NIS2 Directive. This includes alert mechanisms, clear incident thresholds, and personnel training;
- Accountability of the management bodies – Establish adequate organisational measures to ensure that the management bodies of essential and important entities actively participate in cybersecurity governance. This includes requiring their formal approval of cybersecurity risk-management measures, oversight of their implementation, and ensuring they possess sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
Final Considerations
While full compliance deadlines under the NIS2 Directive may vary across member states, the complexity and breadth of its obligations demand immediate action. By proactively addressing these requirements, in-scope entities can reduce vulnerabilities, strengthen resilience, and position themselves to meet regulatory expectations effectively. Early preparation is critical to avoiding last-minute challenges and ensuring a smooth transition to full compliance.
