Abstract: 
The EU has expressly recognised the criticality of the life sciences sector by bringing pharmaceutical manufacturers, clinical research organisations and medical device manufactures within scope of its new NIS2 cybersecurity legislation. With a Member State implementation deadline of 17 October 2024, the new law is already with us, although many Member States are still lagging behind in their transposition. However, it is critical that life sciences organisations use this time to urgently identify whether they are in-scope and start preparing for their compliance with NIS2 requirements. In this article, we analyse which life sciences organisations have been brought into scope, and the key requirements of this critical new cybersecurity legislation. 

Introduction

On 17 October 2024, we marked the implementation deadline of the second Network and Information Systems (“NIS2”) Directive, the EU's bolstered new cybersecurity law. For those Member States who have implemented NIS2 into national law in time, new laws will apply from 18 October 2024. Asides from enhanced reporting for significant incidents, increased enforcement and new personal liability for management, one of the key differences between NIS2 and its 2018 predecessor is its significantly enhanced scope. 

While NIS1 focused its remit on core national infrastructure such as power, water transport and financial services, NIS2 has greatly expanded the list of industries it considers to be "critical" infrastructure and therefore falling within its scope. Amongst the 18 industries now listed are healthcare providers, including pharmaceutical manufacturers and entities providing research and development of medicinal products, as well as manufacturers of medical devices. 

While some healthcare providers were previously included within the scope of NIS1 (defined as "health services provided by health professionals to patients to assess, maintain or restore their state of health, including the prescription, dispensation and provisions of medicinal products and medical devices"), the increased scope of NIS2 to specifically include pharma and clinical research activity means that thousands of life sciences organisations who provide services within the EU will now be in scope of the EU's robust cybersecurity laws for the first time. This, when coupled with the enhancement of rules for those previously in scope under NIS1, combines to mean significant impacts across the life sciences sector. 

This article explores what NIS2 is, which organisations are expected to be in scope and what those impacts might look like. 

What is NIS2?

Part of the EU’s Cybersecurity Strategy, NIS2 repeals and replaces the original NIS Directive which entered into force in 2016 (with Member State implementation by 9 May 2018). Much like its predecessor, it establishes measures for a common level of cybersecurity for critical services and infrastructure across the EU. Recognising the ever-growing threat which cyber-crime poses for the economic and societal stability of the Union, NIS2 aims to harmonise cyber-resilience through the following obligations:

• Ensuring appropriate and proportionate cybersecurity risk management measures are in place following an “all-hazards” approach which is proportionate to risk, entity size, the likelihood of a security incident and the severity of economic/social impact were it to happen. Notably, and unlike its NIS1 predecessor, the cost of implementation can be taken into account when determining what measures are appropriate and proportionate. 
• Supply chain diligence – as part of assessing its own cybersecurity measures, an in-scope organisation must now assess and assure the cybersecurity practices of its supply chain including how cybersecurity obligations are driven by contractual mechanisms.
• Three-stage reporting obligations upon the occurrence of a “significant incident”[1]- the first report required will be an early warning within 24 hours of first awareness. This should be followed by a second, more comprehensive notification within 72 hours, and a more detailed report within one month of the initial notification. 
• Executive approval and oversight – management bodies of in-scope entities must both approve and oversee the implementation of its cybersecurity risk management measures. They will be personally liable to any fines which might result from a breach. NIS2 also gives supervisory authorities the power to suspend relevant management functions pending implementation of measures to address any breach. Management bodies are also required to undertake and follow training on cybersecurity measures, and offer similar training to their employees on a regular basis. 
• Enhanced supervision and enforcement – these can be grouped into powers of audit and inspection, enforcement and temporary suspension of management obligations/ relevant security certifications. The award of fines will be in addition to other enforcement measures, and can reach a maximum €10 million/ 2% of total global annual turnover for Essential Entities, and €7 million/ 1% for Important Entities.

Which entities will be in scope of NIS2?

The main determining factor of whether an entity is in scope will be whether it falls within those sectors specifically called out in the Directive. The reach of NIS2 is significantly wider than its predecessor. No longer applying solely to “Operators of Essential Services” and “Digital Service Providers”, NIS2 has been expanded to include a greater number of named sectors including: managed service providers, social media, waste management, postal services, food, space (as in rockets, not storage), chemical distribution and public administration services, as well as those life sciences sectors discussed below.

However, being an industry type mentioned in the Directive will not in itself be determinative. In addition, to be in scope, an entity must provide the relevant services in the EU, and must also be a "medium-sized enterprise" as defined under Recommendation 2003/ 361/ EC. This defines an MSE as one which employs fewer than 250 persons and which has an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million” (emphasis added). However, the Recommendation also takes into account an organisation’s relationship with certain “linked” or “partner” enterprises for the purposes of assessing the MSE status. In practice this means that even smaller organisations will be brought within scope of NIS2 if they can be seen as being linked to another organisation by virtue of factors such as parent company or joint shareholder voting rights, or the exercise of dominant influence over a linked or partner enterprise.

While NIS2 does not include an "establishment" criterion similar to the likes of GDPR, the operation of complex rules around jurisdiction means that to all intents and purposes, only those organisations which have an establishment in the EU will fall within its scope. The exception to this will be those organisations who are said to fall within a "digital sector" including cloud providers, data centres, domain name service providers, managed service providers, online market places and providers of search engines and social media platforms. For this group of entities, the law will have extra-territorial application, and the requirement to appoint an EU Representative in a Member State where the entity provides services will apply. 

Which life sciences entities will be in scope of NIS2?

Following its expanded application to an increased list of entities deemed by the EU as "critical", NIS2 will now apply to the following healthcare organisations:

• manufacturers of medical devices;
• manufacturers of in vitro diagnostic (IVD) medical devices;
• manufacturers of basic pharmaceutical products and pharmaceutical preparations;
• providers engaged in research and development of medicinal products; and
• manufactures of medical devices considered critical during public health emergencies.

Of the five categories listed above, only the final three categories are listed in Annex I of NIS2 (so called "High Criticality sectors" and as such are likely (subject to specific factors such as national importance and Member State discretion) to be deemed "Essential" entities. As such a higher level of more proactive enforcement activity is likely to apply. By contrast, manufacturers of medical devices and IVD fall within Annex II and are therefore likely to be deemed "Important" entities to whom a more reactive regime of enforcement will apply. We discuss enforcement measures in a later article in our CORTEX series. 

Which pharma entities will be in scope for NIS2?

NIS2 will not apply to all entities operating in the pharmaceuticals industry, even if they operate in the EU. The starting point for NIS2 is that it will apply to manufacturers of basic pharmaceutical products and pharmaceutical preparations. It therefore appears as though companies solely engaged in the distribution or marketing of pharmaceutical products may be excluded from the scope of NIS2. This position can be contrasted with the Critical Entities Resilience Directive ("CER"), the sister legislation of NIS2 which deals with all other operational risks to critical entities other than cyber. In that Directive, the entities falling under "Health" replicate those listed in NIS2 exactly apart from one key addition – those entities holding a pharmaceuticals distribution certification. 

This suggests that the absence of distribution entities from the scope of NIS2 was purposeful, although owing to the interrelationship between the two legislative instruments, such distribution organisations could nevertheless fall within the scope of NIS2 as a result of being categorised as a "Critical" entity by a relevant Member State under the CER. However, that identification is not due to take place until 17 July 2026, meaning that relevant entities will still need to wait a while until discovering if they have been impacted in this way. 

Even for those pharmaceutical manufacturers for whom the application of NIS2 is clearer, there is still a question of whether the pharmaceutical products they manufacture would be classified as either "basic" or can otherwise be classified as "pharmaceutical preparations". 

Whilst the scope of 'basic pharmaceutical products' is more narrow, and is focused on the underlying components / building blocks of medicinal products (e.g., antibiotics, basic vitamins, salicylic and O-acetylsalicylic acids), the scope of 'pharmaceutical preparations' is broader, and seems to capture medicinal products in general terms.  The term 'pharmaceutical preparation' is defined by NIH as a "drug intended for human or veterinary use, presented in [its] finished dosage form" and the term 'medicament' (also used in NACE Rev. 2) is similarly broad. 

What medical devices manufacturers will be in scope for NIS2?

NIS2 draws a distinction between the manufacture of medical devices used for in vitro diagnostics and those used for more general means. Falling within that secondary category include any instrument, apparatus, appliance, software, implant, reagent, material or other article intended to be used for the prevention, diagnosis, monitoring, prediction, prognosis, treatment or alleviation of disease. The category also includes devices supporting or controlling conception, and those products used to clean, disinfect or serialise medical devices. 

Interestingly, manufacturers of medical devices, while falling within Annex II (and therefore likely an "Important" entity for enforcement purposes), could be "upgraded" to Annex I where their devices are designated as critical in a public health emergency by the European Medicines Agency. This is no doubt a response to the criticality of such devices as seen during the recent COVID pandemic. 

Who will be in scope for NIS2 when carrying out clinical research activity?

NIS2 includes those organisations carrying out research on restorative and preventative medicinal products presented for treating human disease. While this is likely to include the greater majority of clinical trials activities, it is less clear who, out of the multiple parties who might be involved in a clinical trial, would be brought into scope of NIS2. For example, would NIS2 be limited to the Sponsor of a trial, or would any relevant Clinical Research Organisations (CROs) or trial sites also be impacted? The answer appears to be that potentially all parties to a trial could be in scope if they are seen to be providing clinical research services within the EU. However, ultimately this will be a question of individual member state implementation and potentially in-scope organisations would be best advised to start preparing for NIS2 on the assumption that they will be in scope. 

What are the next steps for an organisation in scope for NIS2?

Preparation will be key for those entities who are in scope for NIS2. At the heart of that preparation will be ensuring that an organisation's cybersecurity risk management measures align to the minimum standards set out in NIS2, including ensuring the robust security of any relevant supply chains. Organisations should ensure that they are able to report a significant incident within the newly mandated timelines, and that they what incidents will trigger the requirement. They should also identify and prepare their management body, ensuring they understand their enhanced role under NIS2 and the personal liability for any breaches of the law. Finally, and importantly, organisations should identify under which Member State jurisdictions they will fall so that they can begin to identify relevant transposing laws and local registration requirements. 

We will deal with preparatory steps in more detail in the next article in our NIS2 CORTEX series.

Conclusion

There is no doubting the significant role of healthcare as a critical sector underpinning the functioning of the European economy and society. This was never brought into greater focus than during the COVID pandemic, reemphasising in the minds of governments and legislators across the EU the paramount importance of the life sciences sector to society at large. However, this also makes life sciences particularly vulnerable to the threat of cyber attack, a fact which has been starkly evidenced through the involvement of healthcare organisations in multiple high profile attacks in recent years. This is a particular risk given the volume and sensitivity of patient data at stake, and the criticality of healthcare services which could be interrupted where associated IT systems are brought to their knees by cyber criminals.

It is therefore entirely unsurprising that the EU has decided to broaden the scope of its new NIS2 legislation to include pharmaceutical manufacturers, organisations engaged in clinical research and medical devices manufacturers. For many organisations falling within these categories, they will be in scope for NIS for the first time. This will mean identification of whether or not they are in scope followed by key preparatory activity will be more important than ever. And with the Member State deadline for implementation already passed, that preparation is now more urgent than ever. 

See our next article for our top tips on how to prepare for NIS2, and our dedicated NIS2 website for links to all other related DLA Piper content. 

References: 

[1] Defined as an incident “causing or being capable of causing severe operational disruption of services or financial loss or has affected or is capable of affecting natural or legal persons by causing considerable material or non-material damage”.