Introduction

The NIS2 Directive (NIS2 or the Directive) introduces extensive new cybersecurity requirements for a wide range of organizations. As explained in Part 1 of this article series, entities within the scope of the Directive must adopt comprehensive cybersecurity measures to comply with the updated regulatory framework.

Since NIS2 is designed as a directive, it does not apply directly to organizations. Instead, its provisions must first be transposed into the national laws of EU member states. The deadline for this transposition expired on 17 October 2024, but many member states are still in the process of enacting the necessary legislation.

Now that the transposition period has expired on 17 October 2024 and most EU member states are still working on the relevant transposition laws, entities within scope of the Directive are wondering what the consequences will be if they fail to comply with the cyber security requirements under NIS2/the respective domestic law.

Non-compliance with NIS2 requirements can lead to significant repercussions, which may manifest in two key ways: on the one hand, found to be non-compliant can face regulatory investigations and sanctions and on the other hand, members of management bodies can be held personally liable for failures to implement adequate cybersecurity measures. 

Supervisory and enforcement measures

Non-compliance with the cybersecurity requirements of NIS2 can lead to supervisory and enforcement actions. These measures vary depending on whether they are directed at essential entities or important entities (for definitions of these terms, refer to Part 1). The imposition of administrative fines is of particular relevance due to the potentially significant economic impact.

Essential entities

For the supervision of the essential entities, the Directive provides a minimum standard of measures to be granted to the competent supervisory authorities by the Member States. For instance, the supervisory authorities must have the power to carry out on-site inspections and off-site supervision, security audits, security scans and requests for necessary information and access to data, documents and evidence. Furthermore, the Directive contains a series of measures that the authorities should be entitled to take when enforcing their supervisory powers. The authorities can, for example, issue warnings, order companies to cease conduct in breach of the Directive or appoint a monitoring officer for a specified period. In general, the enforcement measures shall comply with the rights of defense and take account the circumstances of each individual case. If regulatory enforcement is ineffective, there may be a temporary suspension of the certification or authorisation of the relevant services or activities provided or the temporary prohibition of any natural person who is responsible for discharging managerial responsibilities at CEO or legal representative level in the essential entity from exercising managerial functions in that entity. 

Important entities

With regard to important entities, the powers of the competent authorities are similar to the powers regarding essential entities. The off-site supervision and the request for information necessary to assess the cybersecurity risk-management measures are regulated differently. These can also be exercised ex-post. The minimum requirements for the powers of supervision and enforcement of the competent authority are largely comparable to those of the authorities for essential entities. 

Administrative fines

With regard to fines, NIS2 is based on well-known concepts, such as those already familiar from the GDPR. If essential entities violate their obligations to implement the risk management measures under Article 21 NIS2 or in connection with their reporting obligations under Article 23 NIS2, the Directive provides for administrative fines of up to a maximum of at least EUR 10 million or at least 2% of the total worldwide turnover in the previous financial year of the undertaking to which the entity belongs, whichever is higher. In case of important entities, the maximum fines will be at least EUR 7 million or 1.4% of the previous year's turnover.

When establishing the fine amount, all factual circumstances must be taken into account. In the transposition laws, the member states must ensure that fines are effective, dissuasive, and proportionate. In addition to fines, the competent authorities can also impose periodic penalty payments to force the affected entity to stop infringing NIS2.

Further aspects

Furthermore, the relationship between the supervisory measures under NIS2 and the GDPR is of practical relevance. In case the competent authority under NIS2 becomes aware of the fact that the infringement of Article 21 or Article 23 NIS2 can entail a personal data breach within the meaning of Article 4(12) GDPR, which needs to be notified to the competent data protection supervisory authority according to Article 33 GDPR, the authority informs the competent data protection supervisory authority thereof. In case the competent data protection supervisory authority has already imposed an administrative fine for the same conduct, the authority competent for NIS2/the transposition law shall not impose an administrative fine, too. However, it is entitled to impose further enforcement measures as described above.

Liability for management bodies

In order to ensure that its requirements are implemented as efficiently as possible, NIS2 also addresses members of management bodies of in-scope entities. On the one hand, the Directive obliges members of the management bodies to take care of a proper implementation of NIS2 requirements; on the other hand, NIS2 requires member states to establish regulations under which members of management bodies are personally liable for infringements of NIS2 requirements.

According to Article 20(1) NIS2, management bodies of essential and important entities approve the cybersecurity risk-management measures the respective entity has taken in order to comply with Article 21 NIS2. Furthermore, management bodies are required to oversee the implementation of such measures.

This regulation marks a significant tightening compared to the previous NIS1 Directive, as it not only mandates management approval of risk management measures prior to implementation but also requires ongoing assessment of the current state and adjustments as needed. In light of the rapidly changing technological environment, Article 20(1) NIS2 requires management to take these technological changes into account when making decisions, in view of the need for cybersecurity measures and the necessity of protecting the respective entity. In-depth knowledge of the current state of the cybersecurity infrastructure and any necessary adaptation measures is also essential under NIS2.

To effectively assess the adequacy of cybersecurity risk-management measures, approve them, and oversee their implementation, Article 20(2) NIS2 stipulates that members of management undergo specific training. This training is designed to equip them with the necessary knowledge and skills to identify risks, evaluate risk-management measures, and understand their impact on the services provided by the organization.

Conclusion

The NIS2 introduces a range of supervisory and enforcement measures to address infringements of its requirements, targeting both affected entities and their management. These measures include supervisory actions such as the imposition of administrative fines and extend to the personal liability of management. Consequently, ensuring compliance with NIS2’s cybersecurity requirements is crucial not only for the entities themselves but also for their management to mitigate potential risks and liabilities.

It remains to be seen whether the member states will implement NIS2 in strict accordance with the Directive or whether they will possibly adopt even stricter rules with respect to infringements of the cybersecurity requirements. Practice will show to what extent the consequences of non-compliance, as outlined above, will actually motivate the entities concerned to update their cybersecurity infrastructure.