Exploring the Legal Landscape of Cybersecurity Brings Rewards

Navigating the NIS2 Transposition Act: A Crucial Yet Complex Journey for Global Corporations

A Guideline for Global Enterprises Operating in the EU

Exploring the Legal Landscape of Cybersecurity Brings Rewards

Cyberattacks are no more isolated incidents and can inflict massive economic damage. According to Bitkom's estimates, German businesses experienced a staggering 203 billion euros in losses due to cyberattacks in 2022, with nearly every company a victim at least once. Reputational damage is another substantial intangible loss following cyberattacks. The need for stringent regulation and robust company measures is becoming increasingly apparent.

The EU aims to tackle this issue with the NIS2 Directive (EU) 2022/2555, effective from the beginning of 2023. However, complying with the directive's requirements and national transposition acts presents numerous challenges for many companies.

Fines beckon

Despite the challenges, diligently addressing these new requirements is worthwhile: The NIS2 Directive proposes fines of up to 10 million euros or 2% of the total worldwide turnover for essential facilities, and up to 7 million euros or 1.4% of the total worldwide turnover for vital facilities. Additional penalties in the national transposition acts likewise impose substantial fines.

The deadline for EU member states to implement the NIS2 Directive is October 17, 2024. Countries like Belgium, Hungary, and Italy have already transposed the directive into their national laws. In Germany, the hoped-for NIS2 Transposition and Cybersecurity Reinforcement Act ("NIS2UmsuCG") is currently uncertain, following the collapse of the traffic light coalition on November 6, 2024.

Recommended audit

Despite the political uncertainty in Germany, globally active corporations face the challenge of verifying whether national NIS2 transposition acts have been enacted (or are in draft form) and examining their potential impact on their respective companies. This process can be complex and confusing.

Uncertainties arise due to factors such as:

1. The lack of group regulation in the NIS2 Directive, which links scope of application to the "facility" concept. Within a group, only the legal entity performing the activities or providing the services is obligated to implement the measures. Group-wide total revenue is taken into account when determining whether small and medium-sized enterprise (SME) threshold values are surpassed.
2. The need to check if subsidiaries of foreign corporations are covered by NIS2 regulations, particularly if they perform activities within the EU or offer services. However, it's essential to recognize that the national responsibility is geographically based on the location of the facility.

Even the requirements for cybersecurity and risk management measures, as well as registration and notification obligations, present practical challenges for international companies due to differences among EU member states. For example:

• Belgium: The Belgian legislator's "NIS2 Act," passed on April 26, 2024, grants a five-month registration period from the effective date on October 18, 2024. However, the draft of the NIS2 Implementation Act proposes a three-month registration period for "essential" and "particularly essential" facilities, starting from the date the facility is first or newly deemed as such.
• Hungary: The Hungarian legislator has expanded the scope of its implementing act, the "Act on the Certification and Supervision of Cybersecurity," to include public transport.

Strategic necessity

Companies, especially globally active corporations, should not view the NIS2 requirements as just a legal obligation, but as a strategic necessity for their future resilience, regardless of Germany's current political stalemate. The more proactive and thorough they engage with the requirements in the cybersecurity field, the better they may prepare for current and future challenges.

*) Nadine Neumeier is Counsel, Stephanie Giek is Associate at the law firm Clifford Chance in Frankfurt.

Intriguing Perspectives from the Virtual World

The NIS2 Directive applies to businesses in critical sectors such as energy, healthcare, transport, banking and finance, postal services, manufacturing, digital infrastructure, and more. Non-EU organizations providing critical services to the EU are also subject to these regulations. Organizations are categorized as either "essential" or "important" based on their role and impact in the EU's economy. The classification influences the level of supervision and potential penalties.

Entities are required to implement robust cybersecurity measures, conduct regular risk assessments, and manage risks associated with their suppliers and service providers. They must also report significant cyber incidents promptly to the relevant authorities.

The cost of implementing and maintaining compliance with NIS2 can be substantial, particularly for multinational corporations operating across various EU member states. Fines for non-compliance are significant, and the strategic approach to ensuring holistic compliance is essential for multinational organizations.

1. Despite potential complexities and uncertainties, it is essential for globally active corporations to recognize the strategic necessity of addressing the NIS2 Directive's cybersecurity requirements, as they not only serve as legal obligations but also contribute to future resilience in the face of current and future challenges.
2. As the NIS2 Directive applies to businesses in critical sectors, organizations should be aware of their classification as either "essential" or "important" in the EU's economy, as this determines the level of supervision and potential penalties. Robust cybersecurity measures, regular risk assessments, and management of risks associated with suppliers and service providers are among the requirements that these entities must implement.

Read also: