In January 2023, a new directive on measures to ensure a high common level of cybersecurity in the Union (the "NIS 2 Directive") entered into force, and is to be transposed by 17 October 2024.
Newly, the cybersecurity regulations will apply to every entity that (i) provides one of the services listed in the NIS 2 Directive and at the same time (ii) employs 50 or more employee sand has an annual turnover and/or an annual balance sheet of more than EUR 10 million.
With the transposition of the NIS Directive 2, the range of obliged entities will be extended to include entities performing activities in the following sectors:
- waste management;
- wastewater;
- production, processing and distribution of food;
- production and distribution of chemical substances;
- production (of medical devices, computers, electronic and optical products, machines and defined devices, motor vehicles, semi-trailers, trailers and other means of transport);
- courier services;
- research;
We recommend entities affected by the new legislation to start preparing for the new legislation ahead of time, in particular by:
- performing an analysis of possible cybersecurity risks;
- adopting and adhering to a cybersecurity strategy (i.e. adopting internal documentation);
- implementing appropriate and adequate technical and operational security measures (e.g. backing up all data on a physical medium that is not connected to a network, regularly updating devices and antivirus programs, using cryptography and encryption);
- undergoing professional training (both governing bodies and employees).
By Martina Oveckova, Junior Associate, Eversheds Sutherland