LS&HC Horizons 2023 - Flipbook - Page 26
Hogan Lovells | 2023 Life Sciences and Health Care Horizons | Privacy and Cybersecurity
Get ready for NIS2
The Directive on measures for a high common
level of cybersecurity across the EU (NIS2)
entered into force in January 2023. NIS2 replaces
the Network and Information Security Directive
(NIS1) to address the increasing number of cyber
threats at a global level, reflect the fast pace
of digitalization, and enhance cyber resilience
in Europe. It gives Member States 21 months
to transpose NIS2 into their national laws.
NIS2 updates security requirements, streamlines
reporting obligations, revises the enforcement
regime and harmonizes sanctions, and applies
to more entities than NIS1. NIS2 applies to the
following health sector entities of medium or
large size or identified by Member States as being
essential or important:
• health care providers (also governed by NIS1);
• laboratories;
• entities carrying out research and development
activities of medicinal products;
• entities manufacturing basic pharmaceutical
products and pharmaceutical preparations; and
• entities manufacturing medical devices
considered to be critical during a public
health emergency.
Joke Bodewits
Partner, Amsterdam
Fenneke Buskermolen
Associate, Amsterdam
Such entities can already prepare for NIS2
compliance by:
• Taking appropriate and proportionate
technical, operational and organizational
cybersecurity risk-management
measures to manage risks posed to the
security of network and information systems
and their physical environment, and protect
them against incidents. Measures include
policies on risk analysis and information system
security and on effectiveness of the measures,
incident handling, supply chain security,
training, and using authentication solutions.
• Ensuring that their management
body approves and oversees the
implementation of the cyber-security
risk-management measures. The
management body shall be trained to
identify risks and assess cybersecurity riskmanagement practices and their impact on the
services provided by the entity. Further, the
management body can be held liable for failing
to implement appropriate cybersecurity riskmanagement measures.
• Notifying the Computer Security Incident
Response Team (CSIRT) or other
competent authority about incidents
having significant impact on provision
of services. Entities should submit an
early warning within 24 hours of becoming
aware of the significant incident, an incident
notification within 72 hours, and a final report
within a month. Further, recipients of services
potentially affected by a significant cyber threat
should be informed of any measures or remedies
they are able to take in response to that threat.
26
