A shift in company risks and the European NIS 2 Directive

In the 17th century, fire, mutiny, and the plague were amongst the greatest threats to a successful oceanic trade undertaking. Furthermore, it was accepted that a large number of the ship’s crew would die or that the ship would be wrecked entirely. Luckily, today this is not seen as a healthy degree of company risk appetite. While mutiny and the plague are no longer risks directors must consider, new business risks are present. Relatively new business risks today –not imaginable years ago – include a lack of sustainability, reputational damage, and cybercrime.

The development of cybercrime as a business risk is exceptional. The question is not if an entity will be struck by cybercrime but when. When that happens, it may (temporarily) obstruct a company from its business. That is why directors must recognize cybercrime as one of the today’s major business risks, and perhaps even as the biggest business risk.

To improve the cyber resilience of critical entities which are crucial for the proper functioning of a modern society and economy, the European Union adopted the European Network and Information Security Directive on 14 December 2022 (NIS 2). NIS 2 (a successor to the first NIS directive also known as the NIB) has broadened the scope of very critical sectors like energy, transport, and healthcare; and critical sectors like digital providers, courier services, and waste management. The deadline for implementing NIS 2 into national legislation is October 2024. 

The main obligations under NIS 2 are:

• A duty to register the critical entity as such;
• A duty of care which involves carrying out a risk assessment and taking measures accordingly to guarantee continuation of services as much as possible and protection of the information used;
• A duty to report to the supervising authority within 24 hours after a cyber security incident has occurred; and
• A duty to inform those persons and entities affected as a result of said incident.

Very generally speaking, globally, the law requires directors of companies to take company risks in manageable proportions, and if they fail to do so, directors may be held personally liable for breaching their fiduciary responsibilities and duties. With or without NIS 2, cybercrime is a business risk every director needs to take into account. In this respect, cybercrime can be combated in the same way as fire risk or all other business risks that could (temporarily) deprive a company of its business operations. The simple but hard rules to manage such business risks are (i) conduct a risk assessment, (ii) take appropriate measures, and (iii) monitor properly from time to time.

---

Nico van der Peet is the head of Thuis Partners’ business law and corporate litigation department. He counsels on corporate structures, participations, and joint ventures. His activities include litigation relating to shareholder disputes, decision making, and liability.