With the arrival of the Regulation on Digital Operational Resilience (DORA) and the Network and Information Security 2 (NIS2) Directive, the security of information systems and the protection of critical infrastructures have become priorities for the European Union. NIS2 entered into force on 13 January 2023, and it aims to strengthen the cybersecurity of critical infrastructures in the European Union. The NIS2 follows the first NIS Directive (2016) and aligns with the European Union’s aim to better protect its member states against growing cyber threats. Through this directive, there is a will to build a more secure digital environment and prepare Europe to face increasing cyber threats by strengthening the resilience of critical infrastructures, harmonising cybersecurity across the European Union, and enhancing risk management and corporate governance. For a general overview of the NIS2 requirements, see our previous article “The NIS2 Era Is Here: Are You Compliance Ready”.
As defined in Article 288 of the Treaty of the Functioning of the European Union, a directive is binding. Each member state needs to leave the national authorities the choice of form and methods to implement this directive into national law.
According to Article 41 of the NIS2 Directive, member states shall have adopted and published the measures necessary to comply with this Directive by 17 October 2024.In France, the law on critical infrastructure resilience and strengthening cybersecurity, transposing the latter directive, was presented to the Senate on 15 October 2024 and shall be adopted soon. In Luxembourg, the NIS2 Directive has not yet been implemented. On 13 March 2024, a draft law implementing the NIS2 Directive has been filed. On 8 October 2024, the Council of State published an opinion on this draft that will be discussed by the Committee on Institutions on 9 December 2024.
NIS2 Directive Overview and Implementation in France and Luxembourg
Obligations of the NIS2 Directive
The NIS2 Directive imposes several key obligations on organisations to strengthen cybersecurity . One such obligation is the contractual security of supply chains. Entities must ensure that their supply chain partners meet cybersecurity standards, and they are required to include appropriate security clauses in contracts with suppliers to mitigate risks originating from third-party vulnerabilities.
Another important obligation is the commitments and responsibilities of management bodies. The directive holds senior management accountable for ensuring that adequate cybersecurity measures are in place, requiring them to actively engage in cybersecurity governance and take responsibility for overseeing the implementation of security policies.
Additionally, the NIS2 Directive mandates the implementation of 10 security measures. These measures cover key areas such as risk management, incident response, access control, and system integrity, among others. Organisations must adopt these measures to strengthen their overall cybersecurity posture and reduce the risk of cyberattacks. These mandatory measures aim to create a baseline of security practices across all critical and important sectors in the European Union, ensuring a high level of protection against evolving cyber threats.
Last, the obligation to notify incidents is another key requirement of NIS2. Entities must notify the relevant authorities, such as national cybersecurity bodies, within 24 hours of detecting a significant cybersecurity incident. If an incident poses a substantial risk to the continuity of services, entities must provide a detailed report, including the nature of the incident, its potential impact, and the measures taken to mitigate it. This notification process ensures that authorities can quickly respond to large-scale threats and that organisations share critical information to improve the overall security posture within the European Union.
New Entities Covered by the NIS2 Directive
The NIS2 Directive also introduces new categories of entities based on their size, which are subject to enhanced cybersecurity obligations. These categories are primarily defined by the number of employees, annual revenue, and annual balance sheet of the company. The two new categories of entities in the NIS2 are large and medium-size enterprises and medium-size enterprises.
Large and medium-size enterprises are those that meet the following thresholds: more than 250 employees, annual revenue exceeding €50 million, and a minimum annual balance sheet of €43 million. These entities are considered critical due to their size and influence in their sector. They are subject to strict cybersecurity obligations to ensure the protection of their infrastructure and critical services, particularly in terms of risk management, resilience to cyberattacks, and incident notification.
A medium-size enterprise is a company that employs between 50 and 250 employees. Its annual revenue may oscillate between €10 million and €50 million, with its annual balance sheet between €10 million and €43 million. While these companies are smaller, they still play a significant role in the economy and society. They are also subject to strengthened cybersecurity requirements, but in practice, the compliance obligations may be somewhat less stringent compared to large enterprises. Nevertheless, they must also implement appropriate security measures and meet the minimum standards set by the NIS2 Directive to protect their systems and infrastructure.
High Critical Sectors and Critical Sectors under NIS2 (Annex I and II)
Several sectors considered highly critical by the NIS2 Directive must comply with enhanced cybersecurity measures to ensure the resilience of essential infrastructure across Europe. These sectors are energy (electricity, oil, gas), transport (air, rail, maritime, road, inland waterways), banking, and financial market infrastructures. The health sector, including healthcare providers and medical device manufacturers, is also included due to its vulnerability to cyberattacks. Additionally, the management of drinking water and wastewater, as well as digital infrastructures such as cloud service providers and data centers, are subject to the NIS2 Directive’s cybersecurity obligations. The aim is to harmonise the protection of these strategic sectors across Europe.
Other important sectors include waste management, postal and parcel services, chemicals, food, and certain manufacturing. Although not classified as essential, these sectors play a critical role in the economy and must also adhere to cybersecurity standards to mitigate the risk of disruption. The goal of the NIS2 Directive is to harmonise and strengthen cybersecurity across these critical sectors throughout the European Union by imposing obligations proportionate to their respective importance.
The Responsible Body
The NIS2 Directive grants specific powers to the responsible body to ensure the cybersecurity of critical infrastructures. These include conducting targeted security audits to assess whether essential service operators and digital providers comply with security requirements. The responsible body can request information about security measures and access sensitive data to detect vulnerabilities. It also verifies the implementation of cybersecurity policies and performs security scans on critical systems. These powers allow the authority to maintain strict oversight and proactively address cyber threats.
For essential entities, the responsible authority conducts both document checks and on-site technical inspections to ensure the effective implementation of cybersecurity measures.
For important entities, evaluations focus on document audits and remote compliance checks, with fewer on-site inspections due to their slightly lower criticality.
Sanctions for noncompliance can include fines of up to €10 million or 2% of global turnover for large and medium sized entreprise, and €7 million or 1.4% for medium-size companies. Other sanctions include compliance orders, revocation of certifications, temporary suspension of activities, and public disclosure of breaches. Essential entities, which pose a higher risk, face more frequent audits and stricter sanctions compared to important entities, which are subject to lighter penalties and fewer controls. In France, the French Cybersecurity Agency (ANSSI) is the responsible body regarding the application of the NIS2 Directive, and in Luxembourg, it is the Institut Luxembourgeois de Régulation (ILR).
Incident Notification Process
The incident notification process, as outlined by the NIS2 Directive, requires a series of steps to be followed by affected entities in the event of a major security incident. In France, once an incident is detected, an early warning must be sent to ANSSI or the Computer Security Incident Response Team (CSIRT) within no more than 24 hours. Following this, the official notification of the incident must be sent within 72 hours of detection. An interim report may be requested by ANSSI/CSIRT, providing relevant updates on the incident’s status. Last, a final report, summarising the complete details of the incident, must be submitted to ANSSI/CSIRT no later than one month from the initial incident notification. This process ensures the rapid and transparent management of significant security incidents to maintain the resilience of critical infrastructures.
In Luxembourg, draft law 8364, which transposes the NIS2 Directive into national law, requires that essential and important entities report all incidents within 24 hours of detection to the competent authority. The competent authority then forwards the notification to the relevant CSIRT and the single point of contact. However, this obligation does not prevent the entity from providing information related to the incident to its own CSIRT. The ILR will inform the entities about the incident notification procedure. The government plans to integrate an “incident reporting” module into the SERIMA tool as the national platform for incident reporting, allowing entities to notify additional authorities about incidents. This will simplify the notification procedures for entities.
With its expansive coverage and stringent compliance measures, the NIS2 Directive represents a significant step forward in strengthening the European Union’s digital security landscape. For organisations, this directive provides an opportunity to enhance cybersecurity and build resilience against growing digital threats. By preparing now, organisations can not only meet regulatory standards but also strengthen their position as cybersecurity-conscious leaders in their industries.
At Goodwin, our team specialises in European compliance. Our knowledge of European standards can help you comply with these regulations and fully establish yourself within the European Union. For assistance with NIS2 compliance and guidance on implementing effective cybersecurity measures, please contact our team.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.
