Four things legal departments should do now in relation to NIS 2
The NIS 2 Directive is the subject of nearly as much heated debate as the GDPR back in 2018. There is a lack of clarity on many points and the legislative process in Germany, in the form of the bill to transpose the NIS 2, is still in its infancy.
However, time is of the essence, as the requirements of the NIS 2 Directive have to be transposed into national law by 17 October 2024. After that date, there are not likely to be any real additional grace periods for companies. At the same time, the NIS 2 Directive focuses on the responsibility of management, which is why directors ought to be aware of the topic.
Many unanswered questions
Companies already dealing with the NIS 2 Directive are asking themselves various questions. Number one on that list of questions is certainly whether their company comes within the scope of application. Examining the annexes to the NIS2 Directive in detail often throws out a few surprises. Is it possible, for example, for a landlord or landlady to become a “provider of managed services” (B2B) because they provide tenants with Wi-Fi access points? How exactly should “providers of cloud computing services” be defined and are apps included as well? How do “providers of cloud computing services” differ from “providers of online marketplaces” and “providers of platforms for social network services” which are also affected?
Closely related to this are questions of whether the applicability of the NIS 2 Directive to a group company “infects” the entire group and what thresholds in a group-context exist.
In our experience, question number two is about how comprehensively the risk management measures required by Article 21 of the NIS 2 Directive (see section of the 30 German IT Security Bill Draft) should be rolled out. Even though the legislative process in Germany has been vague on this so far, companies are opting for a “lean” scope of application and are focussing on the processes and systems necessary for operating the relevant facilities. From a technical perspective, companies are looking at what exactly the legislator meant by risk management measures, and how standards such as ISO 27001 harmonise with these.
Four tasks for 2024
Inhouse lawyers do not have to (and should not) wait until October 2024, however. There are tasks they can prepare in advance right now.
- Coordinate with stakeholders: Information, IT and cyber security are certainly not topics inhouse legal departments can handle themselves. Interdisciplinary collaboration is therefore required. It goes without saying that management and the CISO (Chief Information Security Officer) should also be involved. After all, management must approve the risk management measures and monitor their implementation, as otherwise they may be held liable (see Article 20(1) NIS 2 Directive). A roadmap should be jointly agreed on how the company aims to handle the NIS 2 Directive.
- Check the scope of application: An obvious task for inhouse legal departments is to consider whether the NIS 2 Directive will apply to their company. However, the next two points can be tackled independently of this.
- Revise supply chain contracts: It is advisable to make (important) contracts fit for purpose (see also Article 21(2)(d) and (e) NIS 2 Directive). Simple information security clauses, which oblige contractual partners to comply with a certain standard (such as state of the art) as well as clauses on proof of certificates/attestations may be sufficient in rare cases. In any case, if the contracting parties are to deal extensively with information relating to the companies addressed here, then detailed contracts or annexes on cyber-, IT- and information security are advisable. These should at least include specific measures to be taken by contracting parties, including amendment obligations, audit rights and duties to provide information. Old contracts in particular should be reviewed to ensure they are up to date, and renegotiated if necessary. On this occasion, we also recommend that companies systematically record which business partners are to be informed in the event of a breach of information security protection targets.
- Prepare incident plans: We have noticed when advising companies in an emergency (when there is a cyberattack, for example) that most of them do not have (up to date) incident plans (see also Article 21(2)(b) NIS Directive). People are summoned in a rush, service providers are sought, reporting obligations reviewed for the first time and in the worst case, globally, and companies consider what else can be done and needs to be done. As a key element of corporate governance, we strongly advise companies to have an incident plan, for example in the form of a policy. Technically, this can be accompanied by playbooks. But even the best plan is no use if it is not tested and continuously improved.
Of course, these are just some of the tasks currently required with a view to information and cybersecurity. Legal departments would be well advised to keep a close eye on the legislative process in connection with the implementation of the NIS 2 Directive. It remains an interesting time, not least because Brussels and Berlin are currently issuing many pieces of legislation on IT security. To name but a few: DORA for the financial sector, the CER Directive (and the transposing German KRITIS umbrella act), the Cyber Resilience Act (CRA), various pieces of legislation to do with artificial intelligence, plus the Product Liability Directive and Product Safety Regulation.
We will continue to report on the future legislative processes and our practical experience. Follow these links for more information on the Noerr Cyber Risks group and the Data, Tech and Telecom and Digital Business practice groups.