The European Union is rolling out a new wave of cyber security regulations, including the Network and Information Security Directive (NIS2), which will significantly impact US businesses operating in the EU.

NIS2 is part of a broader regulatory framework that includes the General Data Protection Regulation (GDPR) and the forthcoming Digital Operational Resilience Act (DORA), set to take effect in January 2025.

DORA will impose stringent requirements on EU financial institutions, which will also affect US service providers through contractual obligations.

Under NIS2, affected businesses must implement ten specific cyber security measures and ensure that their management teams are well-trained in these protocols.

NIS2 aims to protect critical infrastructure in the EU and holds board members personally liable for failing to secure it against cyber attacks.

Non-compliance with NIS2 can lead to penalties of up to €10 million or 2% of global turnover, whichever is higher, and management may face personal liability.

In the event of significant operational disruptions due to IT failures, businesses are required to notify regulators within 24 hours and may also need to inform customers.

Although NIS2 was initially set to be enforced starting mid-October 2024, delays in implementation mean it is now expected to take effect late 2024 to early 2025.

The original NIS1 directive, enacted in 2016, focused primarily on physical infrastructure, but NIS2 expands its scope to include various essential technology services.

NIS2 applies not only to EU-based businesses but also to non-EU entities, particularly US technology companies such as cloud computing providers and data centers.

Additionally, the recently passed Cyber Resilience Act will require many US software and hardware companies to undergo third-party product security assessments.

Firms like Womble Bond Dickinson are stepping up to offer legal advice on compliance with NIS2 and other evolving EU cyber security regulations.