NIS2 implementation - Tips for mapping applicable laws and considering the One Stop Shop principle
As noted in previous editions of Connected, the updated Network and Information Systems Directive (“NIS2” Directive 2022/2555) entered into force on 16 January 2023. Member States now have until 17 October 2024 to adopt new legislation to comply with NIS2 (which replaces the current regime). Companies need to consider how the expanded new regime will impact them as it will take time to put compliant structures in place, and they will need to factor NIS2 jurisdiction rules into their compliance plans, contracts and relationships with third parties that they rely upon to protect their assets.
Which Member State Laws will apply?
In addition to considering whether you fall within the scope of NIS 2, it is important to identify the relevant national laws transposing NIS2 as part of a compliance plan. NIS2 is a Directive and so each Member State must transpose NIS2 into their national law in accordance with the NIS2 rules.
For many organisations, identifying which Member State’s laws will apply to its cybersecurity operations implementing NIS2 will be obvious. For those entities it will also be a straightforward matter to identify the corresponding supervisory authority and principal EU regulator responsible for the enforcement of NIS2. For others, with decision-makers in various parts of the EU, with services distributed across a number of countries, or with decision-making power regarding services, data and cybersecurity taken outside of the EU, it will not be as straightforward. The jurisdiction rules in NIS2 are not identical to those in other laws dealing with data, such as the GDPR and so entities navigating NIS2 must take the time to conduct an analysis of the new rules early in the compliance plans.
It will be crucial for organisations to review and be deliberate in structuring data cybersecurity decision-making in Europe. NIS2 requires the competent authorities enforcing NIS2 to collaborate and align with the GDPR supervisory authorities in a number of areas. For some entities there are choices to be made, and they will need to consider their current cybersecurity arrangements and if any adjustments should be considered ahead of NIS2 becoming effective. Many may choose to align NIS2 compliance plans with existing data protection compliance structures. Some entities will also need to consider their position under Directive (EU) 2022/2557 on the resilience of critical entities, which was introduced alongside NIS2 and is planned to take effect at the same time as NIS2. Some, such as those in the life science, financial services and telecommunications sectors, will need to consider sector specific cybersecurity laws which will also inform their NIS2 compliance plans.
Undoubtedly choices that Member States make in transposing NIS2 will have an impact on the enforcement landscape and this may inform some of the cybersecurity service structuring choices made by entities. While it is difficult to fully assess and compare these differences today, as all Member States have not yet published their legislation transposing NIS2, it is advisable to begin building this analysis into NIS2 compliance plans.
How does NIS2 determine which Member State rules apply?
Generally, entities will be required to abide by the rules of the Member State in which they have an establishment. Under NIS2, an entity is considered to have its main establishment in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken.
If such a Member State cannot be determined, or if such decisions are taken outside of the EU, then the main establishment is in the Member State where cybersecurity operations are carried out. If that Member State cannot be determined, the main establishment is in the Member State where the entity concerned has the establishment with the highest number of employees in the EU.
If an entity which falls under the scope of the one-stop-shop mechanism and offers services within the EU, but is not established there, it must designate a representative in the EU. This construct is similar to the GDPR onshore representative requirement for offshore entities. The NIS2 representative must be established in one of those Member States where the services are offered. In the absence of a representative in the EU any Member State in which the entity provides services may take legal actions against the entity for the infringement of this requirement. Importantly, the designation of a representative under NIS2 is without prejudice to legal actions which could be initiated against the entity itself.
What is the One Stop Shop mechanism?
In order take account of the cross-border nature of some companies working in digital sectors specific jurisdiction rules apply. Relevant sectors which will fall into scope of this mechanism include: Domain Name Server (DNS) service providers, Top Level Domain (TLD) name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, manager security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms.
For these entities, specific jurisdiction rules apply, which can be summarised as follows:
- providers of public electronic communications networks or providers of publicly available electronic communications services, are regulated in the Member State in which they provide their services;
- providers of online marketplaces, of online search engines or of social networking services platforms, fall under the authority of the Member State in which they have their main establishment in the EU;
- DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, fall under the jurisdiction of the laws of the Member State in which they have their main establishment in the EU; and
- public administration entities, are regulated in the Member State which established them.
The EU Agency for Cybersecurity (ENISA) will then create and maintain a registry of some of the entities which fall within the one-stop-shop rules.
Next steps
NIS2 will require entities to determine services in scope, and to identify how these rules apply to their service activities as part of a compliance plan. It is important for companies to conduct a robust review of their products and services in order to (i) determine whether they qualify as an essential or important entity under NIS2; (ii) determine which laws in which Member State apply to them; (iii) assess whether the services qualify for the one-stop-shop mechanism; and to (iv) register with the competent authority in the Member State, where the main establishment is located, before 17 January 2025.
For further information, please contact Deirdre Kilroy and Denis Halton
More info on NIS2
For more information on NIS2, please also see our separate update at twobirds.com
Sign up for our Connected newsletter for a monthly round-up from our Regulatory & Public Affairs team.
