NIS 2 establishes cybersecurity risk management measures and reporting requirements for an expanded list of highly critical sectors.
Where NIS 1 included certain parts of the healthcare sector, NIS 2 extends this to include a broader range of entities such as EU reference laboratories (responsible for supporting the promotion of good practice and alignment to national reference laboratories), manufacturers of certain medical devices and basic pharmaceutical products, and entities carrying out key research and development activities of medicinal products (see Annex I "Sectors of High Criticality" and Annex II "Other critical sectors").
UK organisations operating in the relevant healthcare and/or medical devices sectors will be subject to the NIS 2 Directive where they provide their services or carry out their activities in the EU and also meet or exceed the thresholds to qualify as a "medium sized enterprise".
This article considers the key features of NIS 2 and outlines what in scope organisations operating in the healthcare and related sectors need to start doing now to ensure they are compliant when the Directive comes into force in each relevant Member State.
Overview of key changes
Reflecting a considerable broadening of scope versus NIS 1, the NIS 2 Directive:
- Brings a large number of new industry sectors within scope of the obligations;
- Imposes direct obligations on management in respect of an organisation's compliance with NIS 2, and onerous penalties where those are not complied with;
- Details cyber risk management measures that all covered organisations are required to put in place;
- Acknowledges the importance of security at all levels in supply chains and supplier relationships;
- Clarifies and strengthens incident reporting requirements;
- Provides supervisory authorities with a greater ability to supervise companies; and
- Increases the sanctions for non-compliance.
While NIS 2 imposes a range of obligations on both Member States and organisations, in this article we focus on the obligations for in scope healthcare organisations and entities in related health fields.
Before the introduction of NIS 2
The NIS 1 Directive defined healthcare as "health services provided by health professional to patients to assess, maintain or restore their state of health, including the prescription, dispensation and provisions of medicinal products and medical devices."
Any organisations that fell within this definition of healthcare were considered "operators of essential services" and were subject to strict security obligations and enforcement regimes.
Healthcare and related sectors under NIS 2
NIS 2's enhanced data security standards apply to all healthcare organisations covered by NIS 1 as well as the additional subsectors mentioned below to ensure systems and data are protected.
The scope of NIS 2 has been broadened to cover a wider range of healthcare entities, including manufacturers of medical devices (as defined in Article 2, point 1 of Regulation (EU) 2017/745), in vitro diagnostic medical devices and medical devices considered to be critical during a public health emergency.
Such medical devices include wearable devices (fitness trackers, blood glucose trackers, etc.), telehealth solutions, in silico medicine, software as a medical device and digital twins, among others.
In addition to the information technology security measures established in Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 2017 on in vitro diagnostic medical devices, NIS 2 imposes additional cybersecurity requirements on medical device and IVD manufacturers (this article does not consider these overlapping requirements further).
Is your organisation covered by NIS 2?
Healthcare entities including medical device manufacturers must determine whether they are caught by NIS 2.
Subject to certain limited exceptions, the NIS 2 Directive applies to all entities which:
(i) Provide their services or carry out their activities in the EU;
(ii) Meet or exceed the thresholds to qualify as medium-sized enterprise (i.e. that employ more than 50 employees and have an annual turnover and/or annual balance sheet total exceeding €10 million); and
(iii) Operate in one of the sectors listed in the Annexes of the Directive.
Are you important or essential?
Healthcare providers and entities that fall within the healthcare related subsectors above, including medical device manufacturers, that are caught must determine whether they are likely to be deemed "important" or "essential" entities under the Directive. This distinction is significant, as different requirements attach to each category.
Entities generally classified as “important entities” are subject to a light ex post (measures based on actual activity) supervisory regime regarding compliance with the requirements set out in NIS 2.
However, entities that qualify as “essential entities” may be subject to both ex ante (measures based on anticipated activity) and ex post supervisory measures regarding their compliance with the Directive.
Manufacturers of medical devices and IVDs are generally classified as important entities and would be subject to ex post supervisory measures. However, medical device manufacturers that fall under NIS 2, such as devices considered to be critical during a public health emergency, are essential entities requiring both ex ante and ex post supervision.
Both essential and important entities must adopt the cybersecurity risk management measures provided in Article 21 of NIS 2, to include their supply chains (e.g. direct suppliers and service providers).
It is not always easy to identify whether an organisation constitutes an essential or important entity – not least because defining essential entities is in some instances left to individual Member States (albeit they must follow criteria set out in NIS 2 in making their determination), so assessments will need to be undertaken on a case by case basis.
What are your management responsibilities?
Under NIS 2, management bodies of essential and important entities are required to explicitly approve and oversee the implementation of the risk management measures required under the Directive.
NIS 2 does not define the term “management bodies”, leaving it to the national legislation of individual Member States to define the scope of the term. However, NIS 2's Recital 76 suggests the term refers to senior management and legal representatives.
Members of management bodies will have to undertake cybersecurity training to gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services they provide.
Members of management bodies may be held personally liable if their organisation does not comply with their obligations.
For essential entities, competent authorities can in some circumstances also impose a temporary prohibition of the exercise of managerial functions.
What are the expanded cybersecurity risk management measures?
All organisations (i.e. both essential and important entities) will be subject to the same cybersecurity risk management requirements and incident reporting obligations under NIS 2.
However, as with much European legislation, NIS 2 imports a proportionality test, such that the way in which these obligations are met will differ according to an entity’s risk exposure, importance and size.
All entities must conduct a risk analysis on both the potential and impact of incidents. Based on this, they must implement appropriate technical and organisational measures commensurate to the identified risk posed to the relevant information system.
Organisations are required to implement at least the following key measures:
- Risk analysis and information system security policies;
- Incident handling protocols;
- Business continuity plans;
- Supply chain and network security measures;
- Cybersecurity testing;
- Auditing procedures;
- Cybersecurity training;
- HR security, access control policies and asset management; and
- The use of multi-factor authentication and encryption (where appropriate).
By 17 October 2024, the EU Commission will adopt implementing acts which further harmonise and specify the technical and methodological requirements for various entities that often operate cross-border.
What are the new rules on incident reporting?
The incident reporting obligations under NIS 2 have been streamlined compared to NIS 1.
Under NIS 2, organisations are required to notify any incident (i.e. an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems) that has a significant impact on the provision of their services.
An incident is considered significant if it has:
- Caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned; or
- Affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
The reporting process has three stages:
(i) Within 24 hours after first becoming aware of an incident, affected companies have to submit an 'early warning' – i.e. an initial report containing basic information about the incident (e.g. whether the incident is suspected of being caused unlawfully or maliciously and whether it is likely to have a cross-border impact);
(ii) Within 72 hours, organisations should update the early warning with a more comprehensive incident notification; and
(iii) Within one month, a final detailed report should be submitted.
How will NIS 2 be enforced?
Essential entities will be subject to an elaborate ex ante and ex post supervisory regime, whereby they are required to systematically document measures taken to comply with cybersecurity risk management measures.
The ex ante supervision may consist of strict audits, including on-site inspections and off-site supervision; regular and targeted security audits carried out by the relevant supervisory authority; and ad hoc audits when justified by a significant event or a fundamental breach of NIS 2 provisions.
Important entities are only subject to an ex post supervisory regime: i.e. supervisory authorities will only conduct investigations into these entities if there is evidence or information that they have infringed their NIS 2 obligations.
NIS 2 establishes a minimum list of administrative sanctions for breaching cybersecurity risk management or reporting obligations.
These sanctions include:
- Issuing warnings and imposing binding instructions;
- Temporary suspension of an authentication or certification to conduct certain activities;
- Temporary prohibition to exercise certain managerial functions at CEO or legal representative level;
- An order to implement the recommendations of a security audit; and
- An order to inform users of a significant cyber threat.
NIS 2 also allows Member States to demand that organisations who violate the Directive make a public announcement acknowledging the violation and identifying the person(s) responsible.
Essential entities can also be hit with an administrative fine of up to the higher amount of €10 million or 2% of worldwide turnover.
For important entities, the maximum fine is the higher of €7 million or 1.4% of the global turnover.
How should you respond?
1. Map your exposure
In scope organisations should map out the requirements that apply to their organisation.
In particular, they need to understand their obligations in relation to cyber risk management and incident reporting – and consider what changes need to be made to existing practices.
Organisations operating in the digital health sector will need to be mindful that different requirements may apply within different Member States, and that the NIS 2 requirements may be supplemented by requirements in other sector-specific regulation.
Generally speaking, entities will fall under the jurisdiction of the Member State(s) where they have an establishment. This means that organisations with establishments in multiple Member States will have to abide by the laws implemented in each of those jurisdictions.
Multinational organisations may therefore face a significant compliance exercise to ensure compliance with multiple, potentially different frameworks.
2. Find your gaps
Many sophisticated healthcare organisations (especially those subject to NIS 1) will already have processes in place to ensure cyber resilience. However, these may not adhere to the strict new requirements under NIS 2.
Healthcare organisations and newly in scope medical device manufacturers should conduct a gap analysis between existing processes and NIS 2 obligations to properly understand the scope of change required.
In particular, organisations should start to review their internal incident response plans and incident management procedures.
3. Budget for implementing changes
According to the EU, companies already subject to NIS 1 should expect an increase of up to 12% in their ICT spend for the years immediately following the implementation of NIS 2.
For companies not subject to NIS 1, the increased cost estimate is 22%.
4. Review supply chains
In scope organisations should start thinking about the changes they may need to make to their supply/customer contracts, as well as amendments to ensure appropriate protections are in place for future engagements.
Specifically, organisations must assess the vulnerabilities specific to each direct supplier and service provider as well as the overall quality of products and cybersecurity of their suppliers and service providers.
On this basis, they must flow down their security standards to their suppliers and service providers, taking into account both technical and non-technical risk factors.
Practically speaking, entities will have to perform third party security assessments and incorporate appropriate security requirements in their third-party contracts.
5. Train staff
Compliance with NIS 2 requirements will oblige staff at all levels in organisations to be cyber-aware, from management down.
Member States have until 17 October 2024 to transpose the Directive into national legislation. The majority of obligations imposed on organisations will come into force when the implementing legislation becomes effective in the relevant Member State.
Compliance with all of the requirements in the NIS 2 Directive will be a time-consuming and costly exercise, and will require considerable organisational buy-in at all levels (not least because management themselves have strict obligations under the Directive).
Organisations should not delay engaging with these requirements, especially those organisations that were not previously subject to NIS 1, and for whom much of this covers new ground.
For more information on how to prepare for NIS 2, please contact Louis Vanderdonckt, Nikhil Shah & Tim Van Canneyt.
Sign up to our email digest