In our previous blogs, we presented what the NIS2 Directive will entail, what to expect from it, and what the reporting and duty-of-care obligations will entail. The Directive also foresees enforcement mechanisms to ensure effective compliance with the rules and sanctions in case of breach of the rules.
Enforcement mechanisms
Member States must ensure that they carry out effective supervision to ensure compliance with the requirements of NIS2. Regarding essential entities, this implies proactive supervision. In contrast, it implies reactive supervision for important entities, which may be triggered by evidence, indication, or information that the entity allegedly does not comply with the Directive. Indeed, in the latter case, action should only be taken when, for a Member State, it appears that an important entity does not comply with the obligations laid down in the Directive.
The measures taken by competent authorities must be effective, proportionate, and dissuasive. For both types of entities, the competent bodies will have the power to subject them to on-site inspections and off-site ex-post supervision conducted by trained professionals, targeted security audits, security scans, requests to access data, documents and information, and requests for evidence of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence. Random checks further expand the list together with ad hoc audits in the case of essential entities. Except for duly substantiated cases, the audited entities will need to bear the costs of the security audits.
If an infringement is discovered, the competent authorities can exercise further enforcement powers, such as issuing warnings, adopting instructions, ordering entities to cease conduct of activities that infringe on the Directive, ordering entities to inform the natural or legal persons that may be affected by the misconduct, or even making the information public. Should these measures not lead to remedying the situation, the competent authorities may temporarily suspend the entity’s activities and the organization’s manager, who is discharging responsibilities at a chief executive or representative legal level.
Sanctions
The NIS2 Directive sets up a consistent framework for sanctions across the Union, by establishing a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations. These sanctions include binding instructions, implementing the recommendations of a security audit, bringing security measures in line with NIS requirements, and administrative fines. Concerning administrative penalties, the new NIS Directive distinguishes between essential and important entities.
Member States must provide the relevant authorities the ability to impose considerable fines. Regarding essential entities, the NIS2 Directive requires Member States to provide for a certain level of administrative fines, notably a maximum of at least €10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Concerning important entities, the NIS2 Directive requires Member States to provide a maximum fine of at least €7,000,000, or at least 1,4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Management bodies of essential and important entities may also be held liable for non-compliance with the provisions of the NIS2 Directive. If your organization is a covered entity and fails to build and maintain cyber-fitness, there will be fines and penalties for non-compliance with risk management measures or reporting obligations.
To strengthen the supervision that helps ensure effective compliance, the NIS2 Directive provides a minimum list of supervisory means through which competent authorities may supervise essential and important entities. These include regular and targeted audits, on-site and off-site checks, information requests, and document or evidence access.
When exercising their enforcement powers, competent authorities should give due regard to the particular circumstances of each case, such as the nature, gravity, and duration of the infringement, the damage caused or losses incurred, and the intentional or negligent character of the violation.
To ensure real accountability for the cybersecurity measures at the organizational level, NIS2 introduces provisions on the liability of natural persons holding senior management positions in the entities falling within the scope of the new NIS2 Directive.