This is a brief review of the Netflix series ‘ZERO DAY, and an introduction to the key cybersecurity obligations for organisations arising from the forthcoming implementation of the EU’s NIS2 Directive.
What happened on ZERO DAY
In the new Netflix series ZERO DAY, Robert de Niro gives a fine performance as US President George Mullen, who has retired after one term in office and is reactivated by his successor to address public concerns following a major cyber attack on airports and the rail network in the United States.
After successfully taming an angry public, incited by a pod caster spreading fear with conspiracy theories suggesting a government scam, Mullen reluctantly accepts his new role as head of a special ZERO DAY Commission tasked with hunting down the attackers before they strike again. Though a man of integrity, Mullen’s new powers soon seem to compromise him, as he begins to use them without regard for civil liberties and the rule of law in his quest to catch the hackers, who are not Russian state-sponsored, but homegrown activists from Brooklyn, NY. In the process, Mullen is increasingly seen as a tyrant and someone who is losing his mind because he keeps hearing the same song by a punk band in his head. It will take everything that has made him who he is and a personal sacrifice to uncover the truth. But the solution to the mystery of ZERO DAY will be left for the final episode, as to reveal it here would only spoil your viewing experience. ZERO DAY is an intelligent political thriller reminiscent of Sidney Pollack’s Three Days of the Condor (which you should definitely see if you haven’t already), with its own very timely story and a stellar cast in top form.
Like it or not: Why ZERO DAY matters
ZERO DAY is a work of fiction, but it is also a cautionary tale in the guise of a television series that is very relevant to us all. As the saying goes, you don’t have to be a rocket scientist to see that: For the fourth year in a row, the Allianz Risk Barometer ranks cyber incidents such as ransomware, data breaches and IT outages as the top global business risk for 2025.
According to this insightful and accessible study, this risk affects a wide range of industries such as aviation, chemicals, financial services, technology and telecommunications, to name but a few. And not only large corporations, but also small and medium-sized enterprises (SMEs) in both developed and emerging markets have become targets. As we know only too well, cyber-attacks on vital infrastructure do not respect national borders, so the attacks depicted in ZERO DAY could happen any day in Europe if potential targets do not comply with their cyber-security obligations under the national laws of EU Member States implementing the EU Regulation designed to prevent this. The following overview of these obligations is intended to assist companies and other legal entities in their efforts to ensure compliance with these cybersecurity regulations.
What has the European Commission done to reduce cyber security risks in the EU?
The European Commission began to take notice of cybersecurity risks a few years ago, and has since addressed them in not one, but several pieces of legislation, namely:
- The EU Cybersecurity Act entered into force on 27 June 2019
- The NIS 2 Directive entered into force on 16 January 2023
- The Digital Operational Resilience Act (DORA) entered into force on 16 January 2023
- The Cyber Resilience Act entered into force on 10 December 2024.
Of these pieces of legislation, the NIS 2 Directive specifically addresses the risks at the heart of the ZERO DAY series: Attacks on public transport systems. However, the Directive does not only apply to airlines, airports and railways, but also introduces new obligations for entities in various other sectors.
In total, the number of “important” and “critical” entities that will have to comply with the NIS2 Directive and the EU Member States’ implementing legislation is estimated at 29,000.
If you want to find out if you are running a business that needs to comply with the NIS2 cyber security framework and what your obligations are, read on.
What´s the current state of play regarding the NIS2 Directive?
To become effective, the NIS2 Directive needs to be transposed into national law by EU Member States. The deadline for transposition was 17 October 2024, but a number of Member States are still behind schedule. In particular, at the time of writing, Germany, France, Spain, Ireland, the Netherlands and other Member States have not yet transposed the Directive but are still working on national implementing legislation. The European Commission has set up a website to provide information on the implementation of the Directive by each EU Member State The European Commission has set up a website to provide information on the implementation of the Directive by each EU Member State, which you may wish to consult.
Who must comply with the NIS2 Directive?
The NIS2 Directive generally applies to public or private entities of medium or larger size that provide their services or carry out their activities in the European Union. For the purposes of the NIS2 Directive, an entity is a natural or legal person created and recognised as such under the national law of its place of establishment, which, acting in its own name, may exercise rights and be subject to obligations.
Overall, the NIS2 Directive has identified entities above the SME thresholds in the following 11 highly critical sectors in Annex I as essential, requiring them to take appropriate measures to manage cybersecurity risks and comply with reporting and information obligations:
- Energy
- Transport
- Banking
- Financial market infrastructures
- Health
- Drinking water
- Waste water
- Digital infrastructure
- ICT B2B managed services
- Public administration
- Space.
In addition, the Directive also has identified some particular entities as essential, such as qualified trust service providers, top-level domain name registries as well as DNS service providers regardless of their size and providers of public electronic communications networks, to name but a few.
Entities that are not considered “essential” but are of the types of entities listed in Annex I or II of the Directive are considered “important entities” under the Directive and must also comply with the obligations set out below. This includes entities operating in one of the above sectors or in one of the following sectors, which are considered as other critical sectors in Annex II of the Directive:
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacturing
- Digital providers
- Research.
Fortunately, the German Federal Office for Information Security (BSI) has created a handy tool that can be used by entities to determine whether they are subject to the new cybersecurity obligations under the NIS2 Directive and national implementing legislation.
Unfortunately, it’s only available in German. Furthermore, this tool should only be considered and used as a “first aid kit”, as it does not provide binding information or legal certainty, but only initial guidance.
What are the cybersecurity obligations under the NIS2 Directive?
Essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the cybersecurity risks posed to their networks and information systems. Most of these measures are quite basic and common, such as
- the introduction of risk analysis and information security policies
- incident handling
- business continuity
- basic cyber hygiene practices and cybersecurity training for management and employees
- human resources security, access control policies and asset management
- the use of multi-factor authentication and similar techniques.
However, the Directive requires essential and important entities not only to take appropriate cybersecurity measures in and for themselves, but also to ensure that such measures are taken by their direct suppliers and service providers. In order to meet this obligation, essential and significant entities should enter into appropriate supply chain security agreements that set out the concrete measures that such suppliers and service providers will take to ensure cybersecurity in their organisations as well. Compliance with such agreements should be verified through regular audits.
In addition, suppliers should be contractually obliged to report any incidents in their organisation that may have an impact on the cybersecurity of their supply chains. Other, less common measures required by the NIS2 Directive include cybersecurity policies that govern, among other things, the use of cryptography and, where appropriate, encryption. It is also worth mentioning that having the right cybersecurity risk management measures in place is not enough, as companies are also required to assess their effectiveness.
Besides, the NIS2 Directive obliges EU Member States to ensure that essential and important entities meet their reporting and information obligations on any incident that has a significant impact on the provision of their services.. To do so, they must notably take the following steps:
1.Report an early warning on any significant incident without undue delay and in any event within 24 hours of becoming aware of it to the significant Incident to the Response Teams (CSIRT) that must be established by all EU Member States. This early warning shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.
-
Submit an incident notification to the CSIRT which provides an update on the information given in Step 1 and indicates an initial assessment of the significant incident including its severity and impact as well a, where available, the indicators of compromise without undue delay and in any event within 72 hours of becoming aware of the significant incident.
-
Submit an intermediate report on relevant status updates if requested by the CSIRT.
-
Provide a final report which contains a detailed description of the incident, the type threat or likely root cause and any measures taken to mitigate it as well as the cross-border impact of the incident to the CSIRT, if any, not later than one month after completing Step 2.
As defined by the Directive, a “significant incident” is any incident that
- has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned
- has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
Essential and important entities must also inform the recipients of their services of significant incidents that are likely to adversely affect the provision of those services. Moreover, the Directive requires EU Member States to ensure that such entities inform their customers that are potentially affected by a significant cyber threat without undue delay about any measures or remedies that those recipients are able to take in response to that threat and, if appropriate, about the significant cyber threat itself.
The CSIRT or other national competent authority can also decide to inform the public about a significant incident.
Other reporting obligations, in particular where the incident is of a criminal nature, remain unaffected.
What are the consequences of failing to meet these obligations?
Depending on the nature of the obligation, non-compliance may result in graduated fines of up to €10 million or 2% of the global annual turnover in the preceding financial year of the company to which the substantial entity belongs, whichever is the greater.
EU Member States must also ensure that the CEO or any other person in charge or acting as a legal representative of an essential entity can be held personally liable for breaches of their duties, and that national authorities can require that the responsible C-level executives be relieved of their managerial duties.
So yes, it’s highly recommended to ensure full compliance with the obligations set out in the NIS2 Directive and national implementing legislation.
Other cyber risks ahead and how to prevent them: The EU Cyber Resilience Act
Cybersecurity is not only affected by attacks on essential and important entities covered by the NIS Directive, but also by vulnerabilities in smart home products. Current estimates predict a staggering 478.2 million homes equipped with smart devices by 2025.
This is reason enough to look at the cyber risks of smart home products and their regulation by the EU Cyber Resilience Act in another post soon, so stay tuned.