The impact of the NIS2 Directive: will hospital CEOs have to become cybersecurity experts?
Manuel Durães Rocha
Abreu Advogados, Lisbon
manuel.rocha@abreuadvogados.com
Simão de Sant’Ana
Abreu Advogados, Lisbon
simao.santana@abreuadvogados.com
Introduction
In a world where virtual communication has taken over the physicality of human interaction, cybersecurity has become a priority for individuals and for the entities who manage internet-related systems. Nonetheless, it seems to be difficult for legislators to catch up with this fast-paced technological world.
The original Network and Information Security (NIS) Directive,[1] adopted in 2016, was the first legislative measure at European level that had the aim of enhancing cooperation between Member States and creating the first level of harmonisation in the field of cybersecurity. However, it was short lived. A few years after its publication, EU legislators identified the need to broaden the scope of its application and its obligations, so, on 14 October 2022, the revised Network and Information Security Directive (NIS2)[2] was born.
Although the NIS2 Directive was due to be transposed into national Member State law by 17 October 2024, various European countries are still struggling with the legislative process. Portugal, our home country, is no exception. It seems that national governments consider the NIS2 Directive to be of vital importance, but the significant financial investments required appear to have delayed implementation in some Member States.
The new rules
With the approval of the NIS2 Directive, the management boards of hospitals and other entities in the health sector have been given a new set of obligations, which make them directly and personally responsible for the level of cybersecurity compliance of the entities that they manage and administer and for the cybersecurity failures that they may suffer.
To start with, management bodies in the health sector will be subject to an ‘accountability obligation’, according to which it will be up to them to not only to approve the appropriate measures, but also to evidence the production and maintenance of documentation and records relating to the adoption, implementation and execution of cybersecurity measures appropriate to the entities that they manage. These measures include, among other things, the design and implementation of information security policies and policies for recording and responding to cybersecurity incidents.
Additionally, board members will have to promote and attend cybersecurity training sessions, such training sessions must include all employees and collaborators involved with the entity in question.
Management bodies must also appoint a person responsible for cybersecurity in the entities that they manage. This person may be a member of a management body, who, in addition to their duties, is responsible for cybersecurity, or a body that is autonomous from such management positions, provided they are accountable to them. It should be noted, however, that the allocation of the specific tasks to be undertaken by the cybersecurity officer to a specific person does not relieve the other management officers of their responsibilities under the NIS2 Directive.
The heads of management bodies will also be subject to inspections and audits by the competent cybersecurity authority. It is also in this context that, in the event of repeated non-compliance with the obligations imposed by the NIS2 Directive, the competent cybersecurity authorities have the power to temporarily suspend the certification or authorisation granted to the legal entity to carry out its activities and even to request a temporary ban on the exercise of the respective management functions in that entity by any natural person with management responsibilities at the level of executive director or the legal representative of that entity.
In this context, the responsibility attributable to directors should not be overlooked, as the NIS2 Directive and the relevant national laws will provide for the possibility of imposing considerable fines. Specifically, for essential entities, such as hospitals, among other sanctions, fines of up to €10m, or two per cent of their annual worldwide turnover will be possible. For directors, individual and direct fines of up to €250,000 will also be available to the authorities in the event of non-compliance.
These penalties are of real importance for directors, since the cybersecurity authorities have gradually been adopting a reactive stance in the face of non-compliance with the obligations imposed by the legal framework for security in cyberspace. As an illustration, the National Cybersecurity Centre in Portugal initiated 63 administrative offence proceedings in 2023 against firms for violating the cybersecurity rules applicable at the time.
It seems that with the implementation of the NIS2 Directive hospital CEOs will no longer be able solely delegate the responsibility for cybersecurity to experts hired specifically for that purpose, they will have to become an expert themselves.
Notes
[1] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
[2] Directive (EU) 2022/2555 of European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148.