How should EU employers prepare for the new changes? 

In 2016, the Network and Information Security Directive (“NIS Directive”) introduced for the first time a legislation imposing cybersecurity requirements and incident reporting obligations on operators of essential services and digital service providers.

Two years after the deadline for EU Member States to transpose the NIS Directive into national law, the European Commission is now proposing to replace the NIS Directive with the so-called ‘NIS 2 Directive’, seeking to strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU.

As reported by the European Parliamentary Research Service, cyber-attacks are among the fastest-growing form of crime worldwide. The pandemic has triggered an unforeseen acceleration in the digital transformation of societies around the world, but this growing digital connectivity exposes economies and societies to cyber-threats and contributed to a global rise in cybersecurity incidents.

On 16 December 2020, the Commission presented a proposal for a directive on measures for a high common level of cybersecurity across the Union (NIS 2), setting out three general objectives:

1. Increasing the level of cyber-resilience of a comprehensive set of businesses operating in the European Union across all relevant sectors, obliging more companies to invest in online safety measures;
2. Reducing inconsistencies in resilience across the internal market in the sectors already covered by the directive;
3. Improving the level of joint situational awareness and the collective capability to prepare and respond to cyber attacks.

Under the draft proposals adopted by the European Parliament’s industry, research and energy committee, companies that fail to comply with their obligations could face fines of up to 2 per cent of their revenue.

These regulatory changes are bound to have major consequences for employers' business organisations, whose policies will have to be updated and implemented. Employers will have to begin developing suitable cybersecurity training for workers and updating existing IT systems.

From an employment point of view, these changes in cybersecurity will also raise a matter of concern about compliance with regulations protecting employee privacy, in addition to provisions that regulate employee remote monitoring, depending on the national legislation.

Moreover, managing cybersecurity risk through employees may entail reporting and union consultation obligations for the employer.

As a next step, the 27 governments of the EU Council will have to take a political position with regard to the provisions of NIS 2. If there is institutional agreement on NIS 2 next year, EU member states will have until 2024 to fully transpose NIS 2 into their national laws.