The duty of care under NIS2

Next story
André Lameiras

We have previously discussed the “duty of care”, but what exactly does this entail? Under the former Network and Information Security Directive, a dual duty applies to providers of essential services and digital service providers: a duty to report and a duty of care. In this blog, we will explain the latter. Under the former directive, the duty of care applies to both essential service providers and digital service providers. It involves taking appropriate and proportionate technical and organisational measures to manage the risks to the security of network and information systems.

The new NIS2 Directive establishes a different distinction: essential and important entities, reflecting the extent to which they are critical as regards their sector or the type of service they provide, as well as their size. Both types of entities will be required to comply with the duty of care. It is up to the Member States to establish a list of essential and important entities based on the most appropriate national mechanisms, allowing entities to register themselves. Entities become subject to cybersecurity risk management measures when registered under one of the two categories. These should be proportionate to the degree of the essential or important entity’s exposure to risks and to the societal and economic impact that an incident would have. Due account of the entity’s criticality, size, and likelihood of occurrence of incidents should also be taken.

In this context, security refers to the ability of network and information systems to withstand actions that compromise availability, authenticity, integrity, and confidentiality. The Commission Implementing Regulation (Regulation (EU) 2018/151) further specifies the security elements to be observed: security of systems and facilities, incident handling, business continuity management, monitoring, control and testing, and international standards.  

Minimum measures

The NIS2 Directive lists a minimum set of measures, including conducting risk analysis and instituting policies on information systems security, incident enforcement, business continuity and crisis management, supply chain security, and security in the procurement, development, and maintenance of network and information systems. Also included are policies and procedures to assess the effectiveness of risk management measures and the use of cryptography and encryption.

Essential and important entities should also adopt a wide range of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management or user awareness; organise training for their staff; and raise awareness concerning cyber threats, phishing, or social engineering techniques. Furthermore, those entities should re-evaluate their cybersecurity capabilities and, where appropriate, pursue the integration of cybersecurity-enhancing technologies, such as artificial intelligence or machine-learning systems to enhance their capabilities and the security of network and information systems.

In addition, to demonstrate compliance with these measures, Member States may require essential and important entities to use specific ICT products, services, or processes that will be certified under the European cybersecurity certification schemes adopted under the Cybersecurity Act (Regulation (EU) 2019/881).

Moreover, the European Commission is empowered to adopt implementing and delegated acts to specify risk management measures further. Thus, obligations can become more defined, taking into account new cyber threats, technological developments, or sector-specific features.

Monitoring and enforcement

Member States must ensure that they carry out effective supervision to ensure compliance with the Directive’s requirements. Regarding essential entities, this implies proactive supervision. In contrast, it implies reactive supervision for important entities, which may be triggered by evidence, indication, or information that the entity allegedly does not comply with the Directive. Indeed, in the latter case, action should only be taken when, for a Member State, it appears that an important entity does not comply with the obligations laid down in the Directive. To this end, supervisory authorities have a comprehensive set of supervisory powers and enforcement tools at their disposal. The NIS2 Directive also extends liability to natural persons who can be held responsible for breaching the duty of care. Thus, in addition to the legal person, an organization’s director can also be held liable.