Public consultation: NIS2 Directive

A draft decree-law transposing Directive (EU) 2022/2555 (“NIS2”) and updating the NIS Directive has been submitted for public consultation. This decree-law (“NIS2 Directive”) aims to strengthen national cybersecurity and align it with the European Union (“EU”) objective for a high common level of cyberspace protection.

Key changes to cyberspace security legal regime

i)           Expansion of number of target entities

Additional essential service operators and new critical sectors are included.

“Essential entities” and “important entities” categories are introduced, each with distinct responsibilities and measures based on their risk and impact.

ii)          Risk assessment measures

Risk assessment measures, residual risk analysis, and clear minimum cybersecurity measures are established. This model aims to reduce assessment subjectivity and promote simplicity and predictability.

iii)         Supply chain security

There is a focus on supply chain security and the criteria for choosing and securing service providers.

iv)        Creation of Cyberspace Security Assessment Commission

This commission will carry out security assessments of information and communication technology equipment, components, or services, especially those from “high-risk” suppliers, considering:

• Technical risks of the equipment, components, or services;
• Context of use and exposure of manufacturers or suppliers to undue influence from third countries, including important information issued by competent national and EU authorities or included in national or EU risk assessments for network and information system security; and
• Other important safety risks. 

v)          Imposition of restrictions and use cessation

The possibility has been introduced to impose restrictions and cessation of use, and to exclude ICT equipment, components, and services, as a result of negative assessments by the Cyberspace Security Assessment Commission.

vi)        Strengthening and updating national cyberspace security strategy

This strategy will include national priorities, prevention measures, and incident response.

vii)       Approving a national response plan for large-scale cybersecurity crises

This plan will entail interinstitutional coordination and alignment with crisis management frameworks. 

viii)      Promoting cybersecurity certification

Cybersecurity certification is to be promoted to incentivize target entities to comply with recognized standards, facilitating the presumption of regulatory compliance.

ix)         Clear procedural regime for applying enforcement measures and fines

A clear procedural regime for applying enforcement measures and fines to target entities will be created. This will guarantee the right to be heard and establish notification procedures and regimes, as well as procedures and regimes for time-barring, suspending, revoking, and extinguishing fines.

Key aspects maintained in NIS2 Directive proposal

The following aspects remain unchanged:

• Incident notification obligations
• The cybersecurity officer and permanent point of contact positions
• The annual report sent to the National Cybersecurity Center (“CNCS”).

The NIS2 Directive proposal also maintains the exclusion from the application scope for public entities with exclusive responsibilities in the national security, defense, intelligence services, and public security fields.

Once the transposition document has been approved, the target entities must self-identify on an electronic platform made available by the CNCS within 60 days of its becoming available. Failure to comply will constitute a serious administrative offense, punishable by fines ranging from €1,250 to €5 million or 1% of the annual worldwide turnover in the previous financial year, whichever is higher.

Penalties

The new penalty regime establishes three types of administrative offenses:

• Very serious: This includes non-compliance with obligations such as implementing cybersecurity measures and notifying incidents. Fines range from €2,500 to €10 million, or 2% of the annual turnover, for essential entities; from €1,750 to €7 million, or 1.4% of annual turnover, for important entities; and from €10,000 to €5 million for important public entities.

• Serious: This includes offenses such as failure to self-identify and failure to comply with the competent authority’s instructions. Fines range from €1,250 to €5 million, or 1% of annual turnover, for essential entities; from €875 to €3.5 million, or a maximum amount of not less than 0.7% of annual turnover, for important entities; and from €5,000 to €2.5 million for important public entities.

• Minor: This includes offenses related to cybersecurity certification, with fines of between €875 and €45,000 for all target entities.

Attempt and negligence are also punishable, with a 50% reduction of the fines.

Management and administration bodies may also be held liable by act or omission, with willful intent or serious fault, under the terms of the applicable legislation, for non-compliance with the provisions of the proposed NIS2 Directive.

Public consultation deadline

The deadline for submitting comments on the draft decree-law is December 12, 2024, and it can be consulted here.

Stakeholders are invited to analyze the text and contribute suggestions, additions, and comments.