Direktyva (ES) 2022/2555 dėl priemonių aukštam bendram kibernetinio saugumo lygiui visoje Europos Sąjungoje užtikrinti (TIS 2 direktyva) / Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Europe Union (NIS 2 Directive)

The NIS 2 Directive requires to implement new and more stringent cybersecurity rules, and to dramatically improve risk prevention, detection, response, incident handling, business continuity, supply chain security, vulnerability handling and disclosures.

The management bodies of essential and important entities (see below) must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation, and can be held liable for infringements.

Essential and important entities must ensure that the members of the management bodies to follow training and to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

Essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

The measures shall be based on an „all-hazards approach” that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include „at least” the following:

  • policies on risk analysis and information system security;
  • incident handling;
  • business continuity, such as backup management and disaster recovery, and crisis management;
  • supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
  • security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
  • policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
  • basic cyber hygiene practices and cybersecurity training;
  • policies and procedures regarding the use of cryptography and, where appropriate, encryption;
  • human resources security, access control policies and asset management;
  • the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

Who must comply with the NIS 2 directive?

NIS 2 implementing national laws applies to public or private entities of a type referred to in NIS 2 Annex I or II (see below) which qualify as medium-sized enterprises, or exceed the ceilings for medium-sized enterprises, and which provide their services or carry out their activities within the European Union.

A microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million. NIS 2 does not apply there.

A small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million. NIS 2 does not apply there too.

A medium-sized enterprise is defined as an enterprise which employ between 50 and 250 persons and which have an annual turnover between EUR 10 million and EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. NIS 2 applies there.

Sectors to whom NIS 2 may apply:

Annex I of NIS 2 provides:

  • Energy
    • Electricity
      • Electricity undertakings
      • Distribution system operators
      • Transmission system operators
      • Producers
      • Nominated electricity market operators
      • Market participants
    • District heating and cooling
      • Operators of district heating or district cooling
    • Oil
      • Operators of oil transmission pipelines
      • Operators of oil production, refining and treatment facilities, storage and transmission
      • Central stockholding entities.
    •  Gas
      • Supply undertakings
      • Distribution system operators
      • Transmission system operators
      • Storage system operators
      • LNG system operators
      • Natural gas undertakings
      • Operators of natural gas refining and treatment facilities
    • Hydrogen
      • Operators of hydrogen production, storage and transmission.
  • Transport
    • Air
      • Air carriers used for commercial purposes
      • Airport managing bodies, airports, including the core airports and entities operating ancillary installations contained within airports
      • Traffic management control operators providing air traffic control (ATC) services
    • Rail
      • Infrastructure managers
      • Railway undertakings, including operators of service facilities
    • Water
      • Inland, sea and coastal passenger and freight water transport companies
      • Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports
      • Operators of vessel traffic services (VTS)
    • Road
      • Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity
      • Operators of Intelligent Transport Systems
  • Banking
    • Credit institutions
  • Financial market infrastructures
    • Operators of trading venues
    • Central counterparties (CCPs)
  • Health
    • Healthcare providers
    • EU reference laboratories
    • Entities carrying out research and development activities of medicinal products
    • Entities manufacturing basic pharmaceutical products and pharmaceutical preparations
    • Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list)
  • Drinking water
    • Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods
  • Waste water
    • Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity.
  • Digital infrastructure
    • Internet Exchange Point providers
    • DNS service providers, excluding operators of root name servers
    • TLD name registries
    • Cloud computing service providers
    • Data centre service providers
    • Content delivery network providers
    • Trust service providers
    • Providers of public electronic communications networks
    • Providers of publicly available electronic communications services
  • ICT service management (business-to-business)
    • Managed service providers
    • Managed security service providers
  • Public administration
    • Public administration entities of central governments as defined by a Member State in accordance with national law
    • Public administration entities at regional level as defined by a Member State in accordance with national law
  • Space
    • Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks

Annex II of NIS 2 provides:

  • Postal and courier services
  • Waste management
    • Undertakings carrying out waste management, excluding undertakings for whom waste management is not their principal economic activity
  • Manufacture, production and distribution of chemicals
    • Undertakings carrying out the manufacture of substances and the distribution of substances or mixtures, and undertakings carrying out the production of articles
  • Production, processing and distribution of food
    • Food businesses which are engaged in wholesale distribution and industrial production and processing
  • Manufacturing
    • Manufacture of medical devices and in vitro diagnostic medical devices
      • Entities manufacturing medical devices, and entities manufacturing in vitro diagnostic medical devices
    • Manufacture of computer, electronic and optical products
    • Manufacture of electrical equipment
    • Manufacture of machinery and equipment
    • Manufacture of motor vehicles, trailers and semi-trailers
    • Manufacture of other transport equipment
  • Digital providers
    • Providers of online marketplaces
    • Providers of online search engines
    • Providers of social networking services platforms
  • Research
    • Research organisations