Throughout 2022, cybersecurity lawyers have kept their eyes firmly fixed on two pieces of EU cybersecurity legislation: the NIS2 Directive (“NIS2”) and the Cyber Resilience Act (the “CRA”). With NIS2 having been formally enacted by the EU and the draft text of the CRA being published by the European Commission in September 2022, businesses should take time in 2023 to digest the implications of NIS2 and the CRA on their cybersecurity compliance programmes, both in terms of organisational measures and product compliance.
NIS2’s purpose is to encourage businesses to improve their resilience and incident response capabilities. It is a wide-reaching directive, applying to medium and large entities (by way of a size cap test) across a broad spectrum of industries operating in the public and private sectors (by way of a sectoral test). Similar to the GDPR, NIS2 applies not only to organisations established in the EU but also to any business offering goods and services in the EU and that meets the size cap and sectoral tests.
Firstly, NIS2 places obligations on businesses to adopt appropriate technical, organisational and operational measures to appropriately manage cybersecurity risks and their responses to any cybersecurity incidents. Such measures include (1) regular cybersecurity risk analysis and review of security policies; (2) implementation and review of incident policies; and (3) business continuity planning in the event of a cybersecurity incident. Businesses, therefore, should reflect on the sophistication of their current cybersecurity policies during 2023 and consider how they can be improved.
Secondly, NIS2 focuses on corporate governance, obliging the management bodies of businesses to approve cybersecurity risk management measures and oversee their implementation. Interestingly, members of such management bodies may be liable under NIS2 for their business’s failure to comply with NIS2. The risk of personal liability should encourage management bodies to carefully consider their business’s cybersecurity compliance programmes.
In terms of timing, NIS2 was officially approved by the European Council on 28 November 2022. The official text is not yet available in the EU’s Official Journal, but once it is, NIS2 will officially come into force. Member States will have 21 months to transpose NIS2 into domestic law.
The CRA can be seen as the cousin to NIS2. Whilst NIS2 focuses on organisational requirements for achieving good cybersecurity compliance, the CRA focuses squarely on the development and distribution of digital products (i.e. software and hardware that connects to a network) in the EU.
The CRA applies to a broad pool of actors in the supply chain: manufacturers, importers and distributors. Manufacturers bear the brunt of the CRA’s obligations, being required to ensure that their products are designed, developed and produced in a manner that maximises their cybersecurity integrity; the Annexes to the CRA contain an extensive list of such requirements. Moreover, manufacturers are obliged to maintain a comprehensive set of documentation that (1) comprehensively instructs the user on how to use the product and (2) describes the products’ cybersecurity vulnerabilities, how they have been tested and the steps taken to mitigate them. A product cannot be placed on the EU market without this documentation.
Importers serve a largely supervisory function, ensuring that products are manufactured in line with the requirements of the CRA and that the necessary technical documentation is in place and CRA-compliant. Distributors similarly must ensure that the technical documentation is readily available and that the necessary declarations of conformity with the CRA have been executed.
The draft text of the CRA was published by the European Commission in September 2022. The CRA will need to undergo the formal EU legislative process before it becomes law, which will likely take several years.
Two pieces of cybersecurity legislation being introduced in tandem may feel alarming, but the sky is not falling just yet. Both NIS2 and the CRA will take a number of years before they enter into force. However, there is no time like the present, and medium to large businesses in the digital sphere that trade in the EU should start to reflect now on their internal cybersecurity compliance practices, both in terms of internal policies as well as product development, regardless of where in the supply chain they operate.