The EU's 2030 Digital Agenda sets the course for a European digital future, with accompanying new legislation. This new legislation brings numerous changes and obligations for various organizations and is therefore also relevant for M&A practice, as the scope of due diligence investigations will expand significantly as a result of the new legislation.

Legal Data Due Diligence

We're now accustomed to conducting privacy due diligence based on regulations such as the General Data Protection Regulation (GDPR). However, a privacy due diligence review will now be too narrow in scope. Before conducting due diligence, it's important to understand which regulations are relevant to a transaction, what obligations this entails for organizations, and (potentially) the risks for a buyer. Therefore, consult our online tool at www.legaldataduediligence.nl to determine which EU data laws may apply to the target company before a transaction.

This blog provides M&A practitioners with guidance on the Network and Information Security Directive (NIS2) and the Digital Operational Resilience Act (DORA) . For each law, we discuss the core obligations, scope, risks, and key considerations for M&A practitioners.

NIS2

The Network and Information Security Directive (NIS2) aims to improve the digital and economic resilience of European Member States through a high level of cybersecurity.

The directive must be implemented into Dutch law by October 17, 2024, through the Cybersecurity Act. However, due to delays, it is still unclear when the implementation will be completed.

What are the core obligations?

NIS2 has three core obligations for organizations:

• Registration obligation: Entities designated as essential or important must register their organization in the entity register (in the Netherlands with the NCSC).
• Duty of Care: Essential and important entities must conduct a risk assessment and implement appropriate technical, operational, and organizational measures to protect their network and information systems.
• Reporting obligation: All essential or important entities must immediately report incidents with significant consequences to the supervisory authority and the CSIRTs.

Does the law apply to the target?

NIS2 focuses on critical organizations and their direct suppliers or service providers. Organizations that supply indirectly to NIS2 entities may also fall under the directive. Therefore, it is important to gain insight into a target's customer base during the due diligence phase.

To determine whether NIS2 applies, the sector and size must be considered.

1. Relevant sectors

An organisation falls under NIS2 if it is active in one of the relevant sectors listed in Annex I and II.

Highly critical sectors	Other critical sectors
Energy	Postal and courier services
Transport	Waste management
Banking	Production and distribution of chemical substances
Financial market infrastructure	Production and distribution of food products
Health care	Manufacture
Drinking water	Digital providers
Wastewater	Research
Digital infrastructure
ICT service management (B2B)
Government
Space travel

2. The size of the organization

There are two regimes under NIS2: for important and for essential entities. The difference lies in the level of supervision and the amount of fines.

Essential entities: large organisations (≥250 employees or ≥€50 million turnover and ≥€43 million balance sheet total) in sectors listed in Annex I.

Significant entities: medium-sized organisations (≥50 employees or ≥€10 million turnover and balance sheet total) in sectors listed in Annex I and II.

What are the risks?

Non-compliance with NIS2 can lead to high fines: up to €10,000,000 or 2% of global turnover for essential entities, and up to €7,000,000 or 1.4% for significant entities.

What should you pay attention to during a transaction?

• Is NIS2 directly or indirectly applicable?
• Is the organization registered in the central register?
• Does the company have a cybersecurity policy plan and risk framework?
• Are incident reports and audits in order?
• Are staff trained in cybersecurity procedures?
• Are suppliers and contracts NIS2 compliant?

DORA

The Digital Operational Resilience Act (DORA) aims to make financial institutions within the EU more resilient to cyber threats. DORA entered into force on January 17, 2023, and companies must comply with its obligations from January 17, 2025 .

What are the core obligations?

The obligations under DORA focus on four pillars:

• ICT risk management: establishing governance and control frameworks, risk analysis, backup and recovery plans, and raising awareness of IT threats.
• Incident reporting: recording, detecting and reporting ICT-related incidents and threats.
• Operational resilience testing: conducting risk-based testing, except for micro-enterprises.
• ICT risk management for third-party providers: establishing policies, information registers, and contractual requirements for ICT suppliers.

Does the law apply to the target?

DORA applies to almost all financial entities, including banks, insurers, crypto service providers, and crowdfunding platforms. ICT suppliers to these institutions are also indirectly covered by DORA.

What are the risks?

Non-compliance can lead to fines of up to 1% of the global average daily turnover. In the Netherlands, the AFM can refuse or revoke licenses. For ICT suppliers, non-compliance can lead to contract termination and loss of value.

What should you pay attention to during a transaction?

• Is DORA applicable directly or indirectly?
• Are governance and ICT risk frameworks in place?
• Are your ICT inventory, security policy and information register in order?
• Are your contracts with third-party ICT service providers DORA-compliant?
• Are periodic stress tests and audits performed?
• Is there an incident response plan and disaster recovery plan?

Conclusion

The new EU data regulation has a significant impact on M&A practice, particularly on the due diligence process. The scope must be expanded to include "Legal Data Due Diligence" to identify applicable legislation, compliance, and risks.

Non-compliance can lead to high costs, fines, reputational damage, and loss of value. Both buyers and sellers are advised to check beforehand whether the legislation applies and whether the organization is compliant.

Want to know more?

Contact one of our specialists.