The NIS 2 Directive requires designated entities in specified sectors to implement specific security measures to protect their network and information systems. The Directive establishes a framework for reporting cybersecurity incidents to regulators across the EU. It envisages regulatory cooperation and information sharing between Member States to tackle cybersecurity threats effectively.

Sectors

The Directive applies to a wide range of activities in various sectors specifically called out in the Directive. These sectors are classified into two main categories: sectors of high criticality and other critical sectors. Sectors of high criticality include energy, transportation, banking, health, manufacturing, and digital infrastructure. Manufacturing, ICT services, and digital providers are examples of activities under the other critical sectors category.

Entities within the identified sectors are categorized as essential entities or important entities, depending on factors such as size, sector, and criticality. An entity must also meet a minimum size threshold and be active in the EU for the NIS 2 Directive to apply. Determining which Member State law will apply to an entity can be complex, particularly where activities are cross-sectoral and/or cross-border in nature.

Essential services

Operators of essential services (OES) are entities that provide services considered essential for the maintenance of critical societal and economic activities. Each Member State will designate entities as OES in their jurisdiction. Essential entities are subject to ex-ante and ex-post supervision.

Important services

Entities providing important services under the NIS 2 Directive are those where the EU considers that the services have a significant impact on public safety, security, or economic stability, but are not classified as essential services. These entities must evaluate their operations and ensure that they meet the NIS 2 Directive requirements to safeguard their systems and services against threats and vulnerabilities. Important service providers are subject to ex-post supervision.

Determining the applicable law

After determining if the activities of an entity fall under any of the NIS 2 Directive sectors, and that the entity does not fall beneath minimum size thresholds, compliance with the Directive requires each in-scope entity to identify the applicable national laws implementing the NIS 2 Directive that apply to their EU activities. One of the first steps in determining an entity's NIS 2 Directive compliance obligations is determining the jurisdiction(s) in which the entity is regulated, and the regulators that supervise compliance.

Article 26(1) of the NIS 2 Directive states that, generally, essential and important entities within the NIS 2 Directive's scope will be considered to fall under the jurisdiction of the Member State in which they are established.

Recital 114 provides that the criterion of establishment, for the purposes of the NIS 2 Directive, implies the effective exercise of the regulated activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor, nor is the physical location of the network and information systems in a place; the presence and use of such systems in a particular location do not, in themselves, constitute such establishment there.

Depending on the range of its activities in various sectors and/or its location, entities operating in the EU may find themselves governed by laws in more than one Member State and regulated by more than one NIS 2 Directive regulator. Recital 113 of the NIS 2 Directive provides that if the entity provides services or is established in more than one Member State, it will fall under the separate and concurrent jurisdiction of each of those Member States. The Directive states that the competent authorities of those Member States should cooperate and provide mutual assistance to each other. Where appropriate, these regulators should conduct joint supervisory actions. Where more than one regulator in different Member States exercises jurisdiction, they should not impose enforcement measures or penalties more than once for the same conduct. These rules appear logical, but it may be complex to put these principles into practice.

Due to the cross-border nature of organizations working in the digital sector, specific jurisdiction rules apply to digital service providers (DSPs); the jurisdiction test is different. DSPs are entities that provide digital services, such as online marketplaces, online search engines, telecommunication networks, and cloud computing services. The jurisdiction tests that apply to DSPs are as follows:

• Providers of public electronic communications networks or providers of publicly available electronic communications services: regulated by the NIS 2 Directive laws in the jurisdiction of the Member State(s) in which they provide their services.
• DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, search engines, or social networking services platforms: regulated in the jurisdiction of the Member State in which they have their main establishment in the EU. Article 26(2) sets out the tests to determine where these digital services entities will be considered to have their main establishment in the EU:
  • First Test: The primary test is that the main establishment in the EU is where the decisions of the entity related to the cybersecurity risk management measures relevant to the digital services that the service provider provides are predominantly taken (the First Test). This is a factual test. Recital 114 notes that in the case of a company, the main establishment will typically correspond to the place of the entities' 'central administration' in the EU. This recital is helpful as it indicates that the decisions referred to in this First Test are not day-to-day, low-level decisions but rather the test relates to more essential decisions.
  • If a main establishment location cannot be determined using the First Test or if such decisions are not taken in the EU, the main establishment will be in the Member State where the entity's cybersecurity operations are carried out (the Second Test).
  • If a main establishment location cannot be determined using the First or Second Test, the main establishment will be in the Member State where the entity concerned has the establishment with the highest number of employees in the EU.
  • Recital 114 provides that where the same services are carried out by a group of undertakings, the main establishment of the controlling undertaking should be the main establishment of the group.
• Public administration entities: regulated in the jurisdiction of the Member State that established them.

This article discusses the tests in the NIS 2 Directive itself, but, of course, regard must also be had as to how the jurisdiction tests are articulated in the national laws of the Member States. For example, if you operate a cloud computing service provider business and you make cybersecurity decisions about this business in France, you will need to review the French law transposing the Directive to consider the way the French law transposes the jurisdiction tests relevant to this service when analyzing this position.

The jurisdiction test for entities not established in the EU

The NIS 2 Directive is applicable to any entities offering services within the EU, irrespective of whether they are based within the EU. Consequently, companies outside the EU that offer essential or important services (as outlined by the NIS 2 Directive) to entities within the EU must comply with the Directive's provisions. This includes the implementation of risk management measures and the obligation to report major incidents.

To determine whether a DSP entity is offering services in the EU for the purposes of this test, Recital 116 states that it should be ascertained whether the entity is planning to offer services to persons in one or more Member States. The mere accessibility in the EU of the entity's or an intermediary's website or of an email address or other contact details, or the use of a language generally used in the third country where the entity is established, is insufficient in and of itself to ascertain such an intention. However, factors such as the use of a language or a currency generally used in or more Member States with the possibility of ordering services in that language, or the mentioning of customers or users who are in the EU, could make it apparent that the entity is planning to offer services within the EU.

Article 26(3) provides that where DSP entities are not established in the EU but offer digital services within the EU, they are required to designate a representative in the EU. The representative is required to be established in one of the Member States where the services are offered. Once appointed, the representative will act as the point of contact for enforcement and supervision within the EU. In the absence of a representative in the EU, any Member State in which the entity provides services may take legal actions against the entity for the infringement of the NIS 2 Directive.

Determining the competent regulators

Each Member State must designate at least one national competent authority (NCA) responsible for overseeing the implementation, supervision, and enforcement of the NIS 2 Directive. In several European countries, more than one NCA has been appointed often because of their sector focus. These NCAs play a crucial role in the regulatory framework, and it will be essential to correctly identify the relevant NCA and understand its specific requirements, enforcement approach, supervisory powers, and guidance. The NIS 2 Directive sets out extensive supervisory powers that NCAs must have, including powers to conduct inspections, security audits, and requests for information. Each Member State must also appoint a Computer Security Incident Response Team (CSIRT) which will provide operational expertise assisting entities with incident detection and response.

The NIS 2 Directive obliges OES to register with, report, and engage with the authorities in relation to cybersecurity, including incidents and threats. The powers and responsibilities of these authorities will differ between Member States. The NIS 2 Directive requires Member States to enact laws permitting the imposition of penalties for non-compliance, including fines and other administrative measures. The severity and nature of these penalties can vary from country to country. Entities must be aware of the potential consequences of non-compliance in their respective jurisdictions.

Mapping national variations

Member States are required to transpose the NIS 2 Directive into their national laws. This process involves introducing laws within the specific legal and regulatory frameworks of each country that comply with the NIS 2 Directive rules. While the NIS 2 Directive aims to harmonize cybersecurity measures across the EU, there are still notable variations in how Member States approach the implementation. The deadline for implementing the Directive into national laws (October 18, 2024) has recently passed; many Member States have missed the implementation deadline.

What about DORA and the CER Directive?

In addition to the NIS 2 requirements, some entities may be subject to sector-specific cybersecurity laws in the EU. For example, the financial sector may have additional cybersecurity requirements imposed by the Digital Operational Resilience Act (DORA). Some other entities may also have infrastructure regulated by the Critical Entities Resilience (CER) Directive. These laws are intended to complement the NIS 2 Directive, and there are specific rules dictating how regulators collaborate with each other, including in relation to cross-border issues.

Conclusion

Compliance with the NIS 2 Directive is an essential aspect of tackling the topic of cybersecurity across the EU. Determining the applicable laws and competent regulators, mapping national laws, and participating in the mandatory notification mechanisms are critical components of an in-scope entity's compliance program. Organizations have an obligation to 'self-register' if they consider themselves within the scope of the legislation by January 17, 2025.

As the cybersecurity landscape continues to evolve in Europe, staying informed about regulatory developments and the approach taken to the NIS 2 Directive in relevant jurisdictions will be important. Businesses operating in the EU must remain proactive in their compliance efforts to ensure that they meet the requirements of the NIS 2 Directive as they evolve over the coming years.

Deirdre Kilroy Partner
[email protected]
Bird & Bird LLP, Ireland