Does the NIS2 Directive apply to my company?

From autumn 2024, the new NIS2 Directive will lead to extensive new obligations in the field of cyber security for many companies. That is why it is very important to put the cyber security within your company in order. If proper measures are not taken, you risk a hefty fine and could potentially be held personally liable. By answering the two questions below, you can determine whether the NIS2 directive will also apply to your company. Is that the case? Then you will also find a brief overview of the most important conditions that must be met.

Does the NIS2 Directive apply to my company?

The rules from the NIS2 Directive will apply to companies within a wide range of sectors from the autumn of 2024. The following two questions will help you quickly determine whether NIS2 is applicable to your business.

1. Does your company operate in any of the following industries?

If not, your company probably does not need to comply with the requirements of NIS2. However, it may be the case that a Member State of the European Union determines that a company that does not operate in one of the sectors mentioned must nevertheless comply with the directive.

If yes, proceed to the next question.

2. Is your company medium or large?

Micro or small business

If your company has fewer than 50 employees and an annual turnover and annual balance sheet total of €10 million or less, it counts as micro or small. In principle, you do not have to comply with the requirements of NIS2.

Critical services

A micro or small business does have to comply with the Directive if the service being provided is critical. This is true, for example, if you are the sole provider of a service that is essential to the maintenance of critical social or economic activities. A critical service is also critical if a disruption to the service provided could have a significant impact on public safety or public health.

Even in the event of a systemic risk or specific interest, your company may still fall under NIS2, despite its size. In addition, a Member State may designate a micro or small enterprise, which means that it must still comply with the NIS2 Directive.

Medium or large enterprise

If your company has more than 50 employees or an annual turnover and annual balance sheet total of more than €10 million, it is considered (medium) large. Your organization is large if it employs at least 250 people or if its annual turnover exceeds €50 million and its annual balance sheet total exceeds €43 million.

Large and medium-sized enterprises belonging to one of the aforementioned sectors must comply with the requirements of NIS2.

What are the obligations under the NIS2 Directive?

If the NIS2 Directive applies to your organisation, you have three obligations.

1. Training

Board members should receive training on cybersecurity. Indeed, board members must have sufficient knowledge and skills to identify cybersecurity risks. They must also be able to assess cyber security measures and their impact on business operations. Still unclear is whether board members must take specific training for this purpose or whether they can pick their own general courses on cybersecurity.

2. Preventive measures

You must take preventive measures to manage risks to your systems, prevent cyber incidents and mitigate the consequences of incidents. Among other things, your organization should create policies on analyzing cyber risks and securing information systems.

Your company must also take measures regarding incident handling, business continuity, supply chain and information systems security, cyber hygiene and encryption. Furthermore, you are required to create policies and procedures to assess the effectiveness of security measures. Thus, you would do well to audit your systems (or have them audited) and take the necessary security measures based on those audits.

3. Reactive action

Although you should take measures to prevent cyber incidents, it is of course still possible for an incident to occur within your organization. In that case, you would do well to carefully follow the policies created. This is to limit the consequences of the incident as much as possible. To this end, it is of course also important that your employees are aware of this policy and know what to do and who to contact in the event of a cyber incident.

Important or essential enterprise

Every company that falls under the NIS2 Directive must meet the same requirements. Nevertheless, NIS2 distinguishes between important and essential enterprises. Only large companies operating in one of the sectors in the left row (of the previously mentioned overview) are essential. All other companies covered by the NIS2 Directive are, in principle, important. This distinction determines the degree of supervision of your company and the maximum level of sanctions.

Supervision and enforcement under NIS2

If your company is identified as significant, supervision takes place after the fact. Only when the supervisor has evidence or an indication that your company is not fulfilling its obligations will it take action. If your company is essential, preventive supervision takes place in addition to reactive supervision. Thereby the supervisor can, even without an indication, use its control powers.

Reactive and preventive supervision

The regulator has the power to subject your company to audits, on-site inspections and obligations to provide information. If the regulator concludes on this basis that you are not in compliance, it can begin enforcement.

This may require your company to follow directions, inform customers and take the necessary steps at its own expense to remedy the breach. If your business is essential, the regulator may temporarily deny a certification or license.

The supervisor may also ask the court to temporarily prohibit an executive within your organization from performing his duties.

Fines and liability

If your company does not comply with the regulations of NIS2, sanctions may follow.

Fines

An important company may be subject to an administrative fine of up to €7 million or 1.4% of total annual worldwide turnover, whichever is higher. For an essential company, it is €10 million or 2%. Periodic penalty payments may also be imposed.

Liability

It also allows for the personal liability of natural persons with powers of representation, control and decision-making within an essential enterprise.

Conclusion

The NIS2 Directive provides far-reaching obligations regarding cyber security for your company. The directors must have the right knowledge and your organisation is obliged to take sufficient precautions and act appropriately in the event of a cyber incident. If your company does not meet the standards of NIS2, the regulator can start enforcement, impose fines and possibly even hold managers personally liable.

The information given above does not yet provide complete treatment of NIS2. The new Directive is too extensive for that. If you want to know what the new NIS2 directive will mean for your organisation, please contact our specialised IT law department attorneys. They will be able to tell you exactly whether NIS2 will apply to your business, what obligations you will need to comply with and how you can best prepare for the new NIS2 Directive.