Last October 17 was the deadline for transposing Directive 2022/2555 of the European Parliament and of the Council, on legal measures to ensure a high common level of cybersecurity (better known as NIS2), but we still cannot know its national regulatory scope, however, it is important to remember that this Directive, which already came into force on January 16, 2023, introduces a series of new cybersecurity measures that affect more entities, public and private, than its predecessor.
In that sense, the Directive extends its scope to more entities in “high criticality” sectors such as energy, transport, banking, water, healthcare, digital infrastructure, and to more entities in “critical” sectors such as waste management companies, food production and distribution, medical device manufacturing, machinery manufacturing, digital service providers, etc., in the absence of Member States updating this list by April 2025 at the latest.
Many of these entities were not included, due to their size, in the scope of application of its predecessor regulation, however, with the NIS2 Directive it is extended to “medium-sized companies”, understood as those that employ more than 50 people and have an annual turnover of more than 10 million euros.
In addition, non-compliance with any of these measures will entail a severe penalty regime to be developed by Member States by January 2025, although the NIS2 Directive provides for fines of up to EUR 7 or 10 million or equivalent to 1.4 or 2% of annual turnover, depending on the type of activity carried out by the non-compliant entity.
In short, Europe aims to strengthen cybersecurity at a common level at the cost of companies having to implement a new set of measures and ensure compliance to avoid being heavily penalized.
Author: Isabel Marqueta Carnicer. Associate of Lacasa Abogados, Palacios & Partners.