Transposition of the NIS2 Directive
The Benchmark shows whether the scope of national transposition rules differs from that of NIS2, and maps competent authorities for sectors such as digital infrastructure (including telecoms), digital providers and ICT service management.
Part 3: Security risk-management and incident reporting requirements
- Belgium, Germany, and Portugal provide references to international standards or other instruments to demonstrate compliance with NIS2 requirements; and
- Portugal and Romania have introduced reporting requirements that go beyond those set out in NIS2.
Part 4: Enforcement
- In Belgium and Italy, NIS2 maximum fines can be doubled (or even tripled in Italy) in the event of a repeated violation. taly) in the event of a repeated violation.
- In six countries, members of management bodies can be fined for non-compliance, while in most of the countries observed public administration entities are subject to fines like other NIS2 entities.
- In addition, five EU countries could impose additional penalties to enforce compliance with NIS2 obligations.enalties to enforce compliance with NIS2 obligations.
All you need to know about the new NIS2 Directive
Cullen International provides a detailed overview of the requirements and obligations under the NIS2 Directive, including the cybersecurity risk-management measures and incident reporting obligations.
Part 1: Scope
The revised directive classifies the entities covered into those which are considered essential and those which are important. As a rule, all medium and large size entities will have to comply with the NIS2 security risk management and reporting rules. However, the directive will adjust the classification as being either essential or important depending on the size of the entity.
The first of five reports covers the objectives and scope of the revised directive and explains the applicable rules to classify entities as either essential or important.
Part 2: Common security risk management and reporting requirements
The revised EU directive on the security of network and information systems (NIS2) sets baseline security risk management measures for all the entities operating across the sectors falling within its scope. The directive applies an “all-hazard” approach, thus the risk management measures should also address physical and environmental security (e.g. natural disasters, system failures).
Our second of five reports provides an analysis of the common security risk management and reporting requirements, which apply to all essential and important entities covered by the revised directive.
Part 3: Specific obligations for the telecoms, ICT supply chain and digital sectors
The revised EU directive on the security of network and information systems (NIS2) imposes on critical entities (e.g. cloud providers, data centres, social media platforms) common security risk management and reporting requirements. Importantly, the NIS2 will also regulate the security of telecoms operators when providing both telecoms related services (e.g. mobile services) and non-telecoms services (e.g. cloud).
Our third of five reports covers certain security obligations which apply specifically to the telecoms, ICT supply chain and digital sectors.
Part 4: Supervision and jurisdiction
The revised EU directive on the security of network and information systems (NIS2) subjects essential and important entities to the same security risk management and reporting requirements. However, they differ based on supervision.
Our fourth of five reports outlines the supervisory and enforcement framework laid down by the NIS2 directive.
Who?
