Skip to content

The duty of care under NIS2

We have previously discussed the “duty of care”, but what exactly does this entail? Under the former Network and Information Security Directive, a dual duty applies to providers of essential services and digital service providers: a duty to report and a duty of care. In this blog, we will explain the latter. Under the former directive, the duty of care applies to both essential service providers and digital service providers. It involves taking appropriate and proportionate technical and organisational measures to manage the risks to the security of network and information systems.

The new NIS2 Directive establishes a different distinction: essential and important entities, reflecting the extent to which they are critical as regards their sector or the type of service they provide, as well as their size. Both types of entities will be required to comply with the duty of care. It is up to the Member States to establish a list of essential and important entities based on the most appropriate national mechanisms, allowing entities to register themselves. Entities become subject to cybersecurity risk management measures when registered under one of the two categories. These should be proportionate to the degree of the essential or important entity’s exposure to risks and to the societal and economic impact that an incident would have. Due account of the entity’s criticality, size, and likelihood of occurrence of incidents should also be taken.

In this context, security refers to the ability of network and information systems to withstand actions that compromise availability, authenticity, integrity, and confidentiality. The Commission Implementing Regulation (Regulation (EU) 2018/151) further specifies the security elements to be observed: security of systems and facilities, incident handling, business continuity management, monitoring, control and testing, and international standards.  

Minimum measures

The NIS2 Directive lists a minimum set of measures, including conducting risk analysis and instituting policies on information systems security, incident enforcement, business continuity and crisis management, supply chain security, and security in the procurement, development, and maintenance of network and information systems. Also included are policies and procedures to assess the effectiveness of risk management measures and the use of cryptography and encryption.

Essential and important entities should also adopt a wide range of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management or user awareness; organise training for their staff; and raise awareness concerning cyber threats, phishing, or social engineering techniques. Furthermore, those entities should re-evaluate their cybersecurity capabilities and, where appropriate, pursue the integration of cybersecurity-enhancing technologies, such as artificial intelligence or machine-learning systems to enhance their capabilities and the security of network and information systems.

In addition, to demonstrate compliance with these measures, Member States may require essential and important entities to use specific ICT products, services, or processes that will be certified under the European cybersecurity certification schemes adopted under the Cybersecurity Act (Regulation (EU) 2019/881).

Moreover, the European Commission is empowered to adopt implementing and delegated acts to specify risk management measures further. Thus, obligations can become more defined, taking into account new cyber threats, technological developments, or sector-specific features.

Monitoring and enforcement

Member States must ensure that they carry out effective supervision to ensure compliance with the Directive’s requirements. Regarding essential entities, this implies proactive supervision. In contrast, it implies reactive supervision for important entities, which may be triggered by evidence, indication, or information that the entity allegedly does not comply with the Directive. Indeed, in the latter case, action should only be taken when, for a Member State, it appears that an important entity does not comply with the obligations laid down in the Directive. To this end, supervisory authorities have a comprehensive set of supervisory powers and enforcement tools at their disposal. The NIS2 Directive also extends liability to natural persons who can be held responsible for breaching the duty of care. Thus, in addition to the legal person, an organization’s director can also be held liable.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.