Companies in Africa that do business with European Union (EU) member countries must comply with the recently enforced NIS2 Directive cyber security regulation or face potential fines of up to €10 million or 2% of their global annual turnover, whichever is higher.
NIS2 Directive, which builds upon the original Network and Information Security Directive introduced in 2016, imposes strict cyber security requirements, including enhanced management liability, reporting to authorities, risk management, and business continuity planning. While it came into force in January 2023, EU member states had until 17 October 2024 to transpose it into national law.
Ahmore Burger-Smidt, director, head of regulatory practice, and director at Werksmans Advisory Service, says the NIS2 Directive focuses on operational resilience and cybersecurity, addressing network and information system security, while GDPR primarily protects individuals' privacy.
NIS2 is detailed and prescriptive, imposing specific cybersecurity measures like risk management and incident reporting, he notes.
"Where previously we have seen alignment in terms of the GDPR concerning privacy, NIS2 specifically emphasises cooperation between EU member states on cyber security issues. I would submit that it is not a question of either the GDPR or NIS2 – NIS2 aims to enhance the overall security posture, making it a vital complement to GDPR,” says Burger-Smidt.
Stricter incident reporting rules
The NIS2 Directive mandates that organisations must report cyber incidents to authorities promptly and inform their stakeholders, suppliers, and customers.
In fact, NIS2 imposes more stringent reporting timelines compared to the GDPR – organisations must submit an early warning notification within 24 hours, contrasting with GDPR’s 72-hour requirement.
Burger-Smidt points out that each EU member state is responsible for enforcing NIS2 and may set additional penalties, leading to variations across countries and higher risk to companies that do not comply.
There is also the question of personal liability of business leadership, where negligence is proven.
NIS2 introduces personal liability for business leaders in the event of a cyber attack, meaning that executives themselves can be held financially accountable for breaches. Penalties include fines of up to €7 million or 1.4% of a company’s global annual turnover, whichever is higher.
Burger-Smidt explains that the GDPR does not impose personal liability on C-suite executives, but NIS2 can hold them accountable for compliance failures, especially in cases of negligence. "This highlights the importance of implementing adequate cyber security measures and processes to respond effectively to incidents. In terms of NIS2, C-execs are expected to exercise due diligence in overseeing cyber security and may face consequences for failing to do so.''
Wider scope
Yotasha Thaver, senior research analyst, IT security and software, data and analytics, for IDC MEA, says the NIS2 will create greater control over cyber resilience, with more stringent governance, risk management measures, and reporting obligations.
“Parallels that can be drawn with GDPR include the strong focus on data protection and the reporting of incidents, with penalties for non-compliance. I would say the effect on trade between Europe and Africa will mean that stricter cyber security measures need to be adopted."
This may increase the cost of cyber security spending for African businesses trading with European companies, but by enforcing compliance, it will also force African companies to improve their security posture framework," adds Thaver.
Share