TLDR:
- The EU has revised its Cybersecurity Directive (NIS2) with new rules applying to a wide range of companies in various sectors
- NIS2 imposes new cybersecurity obligations and high fines for noncompliance, with EU countries having until October 17, 2024 to transpose the rules
In April 2024, Wilson Sonsini highlighted the importance of preparing for the EU’s new cybersecurity rules under NIS2. The European Union has made significant revisions to its Cybersecurity Directive, imposing new obligations on companies in critical sectors. The new rules are set to enhance cybersecurity measures and impose severe penalties for noncompliance.
The scope of NIS2 is extensive, covering essential and important entities operating within the EU. These include companies in critical sectors such as digital services, financial institutions, and manufacturers of medical devices. The directive requires companies to implement robust cybersecurity risk management measures and report significant incidents to the national Cyber Security Incident Response Team within strict deadlines.
One key aspect of NIS2 is the one-stop-shop mechanism, benefitting companies with multiple establishments in EU countries. These entities will primarily adhere to the laws of their main establishment, simplifying compliance with cybersecurity regulations across jurisdictions. However, companies failing to meet reporting or cybersecurity obligations may face hefty fines based on their annual turnover.
EU member states have until October 2024 to transpose NIS2 into national law, with variations expected across countries. The UK government also plans to introduce similar cybersecurity obligations to enhance online resilience. Companies are advised to carefully assess local requirements and adjust their cybersecurity strategies accordingly to ensure compliance.