Cybersecurity and the life sciences sector: the NIS2 Directive

Julie Austin
Mason, Hayes & Curran, Dublin
jaustin@mhc.ie

James Gallagher
Mason, Hayes & Curran, Dublin
jamesgallagher@mhc.ie

The European Union’s Revised Network and Information Security Directive, Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148, otherwise known as the NIS2 Directive, forms part of a package of measures to improve the cybersecurity of critical organisations. The NIS2 Directive will require an overhaul of how organisations approach cybersecurity and places leadership accountability at its core. The NIS2 Directive is currently being transposed into the national law of the EU Member States, meaning the exact application of the rules will vary from country to country. As a result, this will create a compliance challenge for multinational organisations.

In this article, we highlight the key provisions set out in the NIS2 Directive, examine its application to the life sciences sector and outline practical steps organisations should take to ensure compliance.

Its application to the life sciences sector

In basic terms, subject to meeting certain size criteria, the NIS2 Directive will apply to entities in sectors that are considered critical to the EU’s security and the functioning of its economy. These industries include health, food and manufacturing sectors. In particular, for life sciences companies, again subject to meeting certain size criteria, the NIS2 Directive will apply to the following types of companies and activities:

• healthcare providers;
• EU reference labs;
• research and development involving medicinal products;
• the manufacture of basic pharmaceutical products/preparations;
• the manufacture of medical devices and in vitro diagnostic medical devices;
• the manufacture of medical devices considered to be critical during a public health emergency;
• the manufacture, production and distribution of chemicals;
• the manufacture of electronic products; and
• food business.

Generally, organisations in the life sciences sector will be subject to the separate and concurrent jurisdiction of each EU Member State in which they are established. These various national rules are causing significant headaches for multinational organisations, as the rules can vary significantly from Member State to Member State.

For example, in some countries, the definition of the health sector has been expanded to include the distribution and importation of medical products, while in other jurisdictions these sectors are out of scope. The rules mean that multinational organisations must comply with all local laws transposing the NIS2 Directive in every Member State in which they are established. They must also register with the relevant competent authority in each Member State. In addition, they are required to report significant cross-border cybersecurity incidents to the relevant competent authorities. Senior management within organisations in each Member State are responsible for compliance. The stakes are high, as boards and senior management can be held directly accountable for compliance failings. This is causing particular issues for multinational life sciences organisations, where, traditionally, cybersecurity was the responsibility of the head office or parent company, with affiliates simply relying on the measures adopted by the parent organisation.

Key issues for life sciences businesses

The key challenges facing life sciences organisations are as follows:

• Registration: In-scope entities will need to register with the national competent authority in each Member State in which they are established. Each Member State has imposed different registration deadlines and procedures for registering, which can be complex.
• Risk management measures: Under the NIS2 Directive, each Member State will establish a set of risk management measures (RMMs) that organisations will be required to implement, as appropriate. The management body of each organisation, such as the board of directors, must approve the RMMs adopted by their own organisation. They must also oversee the implementation of the RMMs. In certain jurisdictions, members of the management body risk being held personally liable for any infringements. The RMMs vary across the EU Member States, with different assessment and certification frameworks being introduced. These circumstances will inevitably lead to inconsistent approaches across the EU. For example, there is a requirement in Hungary and Romania to appoint a specified local auditor to assess the company’s compliance. However, this requirement doesn’t exist in the other Member States at present.
• Supply chain due diligence: As part of a company’s  RMMs, the NIS2 Directive requires entities to carry out due diligence in regard to their supply chain security. Organisations will have to ensure that they have confidence in the network and information systems of their suppliers, in addition to their own network and information systems.
• Incident reporting: In-scope life sciences organisations will be obliged to report significant cybersecurity incidents to the relevant competent authority. An initial report must be made within 24 hours of the organisation becoming aware of the incident. Follow-up reports must be made within 72 hours, with the final report to be made in 30 days. Each country will have different reporting mechanisms and reporting requirements. As a result, handling a cross-border incident will be challenging. Multinational organisations should ensure that they have internal reporting procedures in place so if a cross-border incident occurs, there is an established process to follow. These procedures should be tested through the use of tabletop exercises.
• Training: Training must also be provided to management bodies to equip them to meet their obligations to approve and implement RMMs. Cybersecurity training should also be provided to all company employees.