NIS 2 Directive: Implementation of the requirements in your organisation...
... and what role the legal or compliance department play in this
Purpose and Scope of NIS 2
As a result of digitization and increasingly professionalized attacks, the threats to companies in cyberspace are greater than ever. To counter this threat, the European Union (EU) has developed a cybersecurity strategy and adopted various legal acts.
A key component is the NIS 2 Directive (“The Network and Information Security (NIS) Directive”). Its purpose is to harmonize and improve the level of cyber security for economically important institutions in the member states throughout the EU.
Up to now, cybersecurity obligations in Germany under the NIS 1 Directive have mainly applied to operators of critical infrastructures, providers of certain digital services and companies in the special public interest. Now, with NIS 2, cybersecurity and cyber resilience obligations also apply to a broad range of companies. NIS 2 now covers other sectors such as energy, transport and traffic, healthcare, ICT services, chemicals, manufacturing, etc. Smaller companies are generally excluded. In Germany alone, it is therefore estimated that around ten thousand additional companies will be affected by cyber security obligations.
Project approach
For the NIS 2 implementation the legal or compliance department must be part of the project in order to (1) assess the impact of NIS 2 on the organisation (Impact Analysis), (2) legally validate the decision in the implementation and (3) assist in defining the deviating requirements resulting from national implementation in the markets, in which the organisation has business operations. The works can be visualized as follows:
NIS 2 is a piece of legislation whose implementation must be assisted and monitored by the legal or compliance department.
Step 1
Impact Analysis
Thus, the first question for legal or compliance departments is to identify whether your company or organization falls within the scope of NIS 2. We support you with an impact analysis.
Step 2
Implementation
The implementation of cyber security and resilience measures is primarily the responsibility of the IT and InfoSec department. However, as NIS 2 is a regulation that must be legally interpreted and its legally compliant implementation must be evaluated and determined internally within the company, the legal or compliance department must be involved and support the implementation in a reviewing capacity.
The legal or compliance departments should e.g. pay particular attention to the implementation of processes that ensure the timely reporting of security incidents. For reasons of efficiency, it makes sense to integrate these processes into general incident management.
Support from the legal or compliance department is also advisable for liability reasons: On the one hand, in view of the threat of fines of up to EUR 20 million or 2 percent of the previous year's global turnover, NIS 2 must be assessed as a risk position in the context of risk management. On the other hand, NIS 2 explicitly includes personal liability for the management, which the legal or compliance department must typically assess and against which the management must be protected.
NIS 2 obliges the affected companies and organizations to take appropriate measures for supply chain security, business continuity management, encryption, access restrictions, reporting to the authorities and remedial measures. Due to the obligations regarding the supply chain, suppliers may also be covered by the requirements under civil law.
Step 3
Considering National Specifics
Even though NIS 2 harmonizes the vast majority of regulations across the EU, there are still national differences. This is because the NIS 2 Directive must be transposed into national law and the member states have leeway when it comes to implementation.
A special task of the legal or compliance department is therefore to identify national legal requirements, communicate them as a requirement in the NIS 2 implementation project and evaluate their implementation.
This is particularly relevant for affected companies because national legislation determines which authorities companies must register with. The legal or compliance department must therefore keep an eye on the implementation status for all countries, in which they have business activities and where they have to register.
The NIS 2 Directive had to be transposed into national law by the EU member states by October 17, 2024. However, some member states have not yet done so.
Through our international network, we provide support in identifying national requirements and the implementation status and integrate these requirements in your implementation project.
We have compiled the current status of the implementation of NIS 2 for you here.
EU NIS 2 Competence Network
We help you to determine the extent to which your company and your organization are affected by the NIS 2 Directive, assess your compliance capabilities or identify gaps and support you in implementing the regulatory requirements at national and EU level in an appropriate and cost-effective manner.
PwC has established a multidisciplinary NIS 2 competence network across the EU. This consists of experts from the fields of cyber security, risk management, incident response, governance, compliance and law. Over 150 specialists in the EU region support companies in implementing the NIS 2 Directive.
