A new era of cybersecurity in Europe

Can remove management and shut down business

One of the most drastic changes in NIS 2 is that supervisory authorities are given the power to temporarily remove the management of organizations that do not comply with safety requirements. In addition, the organization’s activities can be temporarily halted, which can have serious financial consequences. Non-compliance can also result in the board and management being held personally liable for the consequences of the security breach.

Expanded scope and tougher sanctions

NIS 2 will cover many more organizations than before. Industries such as energy, transport, health, finance and IT will be particularly affected. The penalties for breaches are also significantly tougher, with fines of up to 2% of annual group turnover or €10 million, whichever is higher.

The directive also requires businesses to secure their entire supply chain, which includes all actors with whom the business collaborates. Reporting of security incidents and threats is tightened, with strict deadlines for notification. Further top management must also undergo cybersecurity training, as part of their obligations under the directive.

Norway is lagging behind

Norway is lagging in the implementation of the NIS directives. The Digital Security Act, which will implement the original NIS 1 Directive from 2016, is expected to come into force in 2024 at the earliest, a full eight years after it was adopted by the EU. Before the Act enters into force, a consultation round for associated regulations will be carried out, which we understand will take place in September or October this year. There will also be a separate consultation for the NIS 2 Directive.

The National Security Authority (NSM) is expected to become the supervisory authority in Norway to ensure compliance with the directives.

The way forward

For Norwegian organizations, it's important to start preparing now. Cybersecurity is not just a technical issue, but is also about management and organizational measures. Businesses need to assess their existing security procedures, implement necessary changes, and ensure that all parts of the organization, especially management and the board, are well informed and trained on the new requirements.

To avoid the severe sanctions and the risk of personal liability, it is crucial that organizations start working in a structured way with cyber security immediately. NIS 2 sets high standards, but it also provides a framework that can significantly strengthen an organization’s resilience to cyber threats, which should be the main motivation. In addition, there will be demands from EU-based companies to secure their value chain.

With this directive, the EU is setting a new standard for general cybersecurity requirements that can help protect both economic interests and critical societal functions in an increasingly digitized world.

Need help with cybersecurity? Feel free to contact Kristian Foss or one of our other skilled lawyers in the technology team.