NIS2 (Network and Information Systems Directive 2) is the updated version of the NIS Directive, which the EU first introduced in 2016. The original NIS Directive aimed to enhance cybersecurity across member states by requiring certain critical sectors to implement strong cybersecurity practices. NIS2, adopted in 2022, significantly expands on the scope of the original directive and introduces stricter requirements.
Key Aspects of NIS2
Broader Scope: NIS2 applies to various sectors and businesses. It targets two types of entities:
- Essential entities: These include energy, transport, banking, healthcare, digital infrastructure, and public administration sectors.
- Important entities: These include the manufacturing of certain products, postal services, food supply, space, and other sectors.
Stricter Obligations: Organizations must meet more comprehensive requirements on risk management, incident reporting, supply chain security, and cooperation with national authorities.
Unified Standards: It harmonizes cybersecurity requirements across the EU, ensuring that member states follow consistent standards. This reduces regulatory fragmentation that occurred under the original NIS Directive.
Incident Reporting: Companies are required to notify incidents that could affect the continuity of services within 24 hours (initial notification) and provide a detailed report within 72 hours.
Fines and Sanctions: NIS2 introduces significant penalties for non-compliance, similar to the General Data Protection Regulation (GDPR). Fines can be up to €10 million or 2% of global annual turnover.
How NIS2 Affects Companies in APAC (Asia-Pacific) with Business in the EU
If your company is in the APAC region but has business dealings with the EU, NIS2 can still affect you, especially if you:
- Offer services or products in the critical sectors that NIS2 targets.
- Even if you are outside the EU, if your services are essential to EU markets, you may need to comply with NIS2.
- Are part of the supply chain for EU-based companies in critical sectors.
- NIS2 requires companies to ensure the security of their supply chains, which means they may impose cybersecurity requirements on non-EU partners.
- Handle data of EU citizens or provide digital services in the EU.
- Even though NIS2 is not as data-centric as the GDPR, it still emphasizes cybersecurity, and non-compliance could result in sanctions.
What Should You Do?
Assess Your Compliance: Check if your business falls under the sectors affected by NIS2, and whether your contracts with EU entities include cybersecurity obligations.
Align with Cybersecurity Frameworks: Ensure you are aligned with global standards like ISO 27001 or NIST CSF. This will help you comply with NIS2's requirements, even if you are not directly subject to them. If the company has implemented the ISO 27001 framework, the cybersecurity controls have covered 70% of NIS2 requirements.
Incident Management & Reporting: Set up robust incident reporting mechanisms. Even if you are not in the EU, you may need to report cybersecurity incidents that affect your EU clients or partners.
Example Scenarios
Cloud Service Providers: An APAC-based cloud service provider with clients in the EU must implement stringent cybersecurity measures and incident reporting protocols to comply with NIS2.
Manufacturing Firms: An APAC manufacturing firm supplying components to critical infrastructure projects in the EU must ensure the robustness of its own and subcontractors' cybersecurity practices.
Final Thoughts
While NIS2 primarily targets entities within the EU, its ripple effects mean that any APAC company with business ties to the EU, must take proactive steps to ensure compliance. This involves adopting globally recognized cybersecurity standards, enhancing incident response capabilities, and fostering strong collaboration with EU partners. Failure to comply not only risks significant financial penalties but also endangers long-term business prospects and reputational standing.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
