NIS 2 liability: Who, What and When
What: The revised Network and Information Systems Directive (NIS 2) is European legislation on cybersecurity that provides legal measures to boost the overall level of cybersecurity in the EU.
When: The deadline for the EU member states to transpose NIS 2 into national law is October 17, 2024.
Who: Am I liable as a CxO and what penalties are involved?
- Yes, you are liable. The C-level cannot transfer NIS 2 liability to the CISO or anyone else. The C-level is, however, expected to drive the necessary cybersecurity improvements through the CISO and other relevant teams.
- The maximum liability is at least 10M€ or up to 2% of the total world-wide annual turnover of the company.
Is our company within the scope of the regulation?
- NIS 2 applies to a broader scope of sectors and entities than those covered by the current NIS Directive.
- Critical infrastructure industries in the EU are regulated. See
- These players are divided into Essential--those whose governance is more rigorous-- and into Important—those who are also in scope of the regulation.
- NIS 2 applies also to certain Small & Micro entities that are specified in the directive.
Is the NIS 2 regulation valid only for companies operating in the EU?
- On this question, I would re-direct you to discuss with your legal team as the answer is “it depends….”
Why is the NIS 2 regulation coming?
- The more we digitalize our lives the more important it is that we ensure our systems operate reliably, and free of disruption from cyber-attacks.
- The NIS2 and the recent SEC regulations that expects companies to have proper Cyber Security governance, processes, and reporting in place.
Author: Petri Kuivala; Has served as the Chairman of the Board of Directors with a publicly listed company. He has worked in Nokia, Microsoft, NXP Semiconductors and overseen the M&A activities of leading companies like Qualcomm and Siemens. He is a long time Chief Information Security officer and lawyer by training.