The Network and Information Security (NIS) Directive was the first comprehensive EU-wide legislation focused on cybersecurity. Its main goal was to establish a high common level of cybersecurity across all Member States, ensuring that essential services and digital infrastructures are robust against cyber threats.
However, implementing the original NIS Directive proved challenging. Member States experienced difficulties that led to inconsistencies and fragmentation in cybersecurity measures across the EU. This inconsistency made it harder to effectively combat the increasing number of cyber-attacks associated with growing digitalization.
To address these challenges and the evolving cyber threat landscape, the European Commission proposed a new directive to replace the original NIS Directive, commonly referred to as NIS2. The objectives of NIS2 are to:
- Strengthen security requirements: Implement more rigorous cybersecurity obligations for organizations, including risk management and incident reporting.
- Address supply chain security: To enhance overall supply chain security, recognize and mitigate risks arising from suppliers and service providers.
- Streamline reporting obligations: Simplify and harmonize the process for reporting cybersecurity incidents to reduce administrative burdens.
- Introduce stringent supervisory measures: Enhance oversight by national authorities to ensure compliance with the directive.
- Implement harmonized sanctions: Establish consistent penalties across Member States for non-compliance to ensure uniform enforcement throughout the EU.
By expanding its scope, NIS2 will oblige a broader range of entities and sectors to adopt cybersecurity measures. This includes more businesses deemed critical to the economy and society, increasing the EU’s overall cybersecurity resilience in the long term.
Legislative Process and Adoption:
- The proposal was assigned to the Committee on Industry, Research and Energy within the European Parliament.
- The committee adopted its report on 28 October 2021.
- The Council of the European Union agreed on its position on 3 December 2021.
- A provisional agreement between the co-legislators (the Parliament and the Council) was reached on 13 May 2022.
- The political agreement was formally adopted by both the Parliament and the Council in November 2022.
- The NIS2 Directive entered into force on 16 January 2023.
- Member States have until 17 October 2024, to transpose the directive’s measures into their national laws.
This means that by October 2024, all EU Member States must implement the provisions of NIS2, leading to a more unified and more robust cybersecurity framework across Europe.
What is the NIS2 Directive?
The Network and Information Security Directive 2 (NIS2) is a comprehensive piece of European Union legislation aimed at enhancing cybersecurity across Member States. Adopted to replace the original NIS Directive of 2016, NIS2 seeks to address the growing complexities and threats in the digital landscape by establishing a higher common level of cybersecurity throughout the EU.
Key Aspects of the NIS2 Directive:
- Unified Cybersecurity Framework: NIS2 provides a harmonized approach to cybersecurity, ensuring that all Member States adhere to consistent standards and practices.
- Expanded Scope: It broadens the range of sectors and types of entities that are obligated to implement cybersecurity measures.
- Risk Management and Reporting: The directive mandates stringent risk management protocols and incident reporting requirements for organizations.
- Supply Chain Security: Emphasizes the importance of securing supply chains and addresses vulnerabilities that can arise from third-party relationships.
- Supervisory and Enforcement Measures: Introduces stronger supervisory actions and harmonized penalties for non-compliance across the EU.
Purpose of the NIS2 Directive:
- Enhance Resilience: To improve the cyber resilience of essential and important entities that provide services critical to the economy and society.
- Mitigate Cyber Threats: To reduce the risk and impact of cyber incidents, including cyber-attacks, data breaches, and other security events.
- Facilitate Cooperation: To strengthen cooperation among Member States, facilitating information sharing and coordinated responses to cyber threats.
Background of the Original NIS Directive:
The original NIS Directive, adopted in 2016, was the first EU-wide legislation on cybersecurity. It aimed to achieve a high common level of cybersecurity across the Union by:
- Improving National Cybersecurity Capabilities: Encouraging Member States to develop national cybersecurity strategies and establish Computer Security Incident Response Teams (CSIRTs).
- Enhancing Cooperation: Setting up mechanisms for cooperation among Member States.
- Securing Critical Sectors: Requiring Operators of Essential Services (OES) and Digital Service Providers (DSPs) to take appropriate security measures and notify significant incidents to relevant authorities.
Challenges and Limitations of the Original NIS Directive:
Despite its groundbreaking nature, the original NIS Directive faced several challenges:
- Fragmented Implementation:
- Divergent National Approaches: Member States had significant leeway in implementation, leading to inconsistencies in cybersecurity measures and enforcement.
- Variations in Identification of OES: Differences in how the Member States identified operators of essential services resulted in uneven application of the directive.
- Limited Scope:
- Sector Coverage: The original directive covered a limited number of sectors, potentially overlooking other critical areas vulnerable to cyber threats.
- Entity Size: Smaller entities that could still have a significant impact if disrupted were often excluded from obligations.
- Evolving Cyber Threat Landscape:
- Increased Digitalization: Rapid digital transformation across industries outpaced the provisions of the original directive.
- Sophisticated Cyber Attacks: The rise in frequency and complexity of cyber-attacks required more robust and adaptive cybersecurity frameworks.
- Reporting Obligations:
- Complexity and Burden: Inconsistent reporting requirements created administrative burdens for organizations operating in multiple Member States.
Reasons for Developing NIS2:
To address these challenges and adapt to the evolving cyber landscape, the European Commission proposed the NIS2 Directive with the following motivations:
- Harmonization: Establish more consistent cybersecurity requirements and supervisory measures across Member States.
- Expansion of Scope: Include additional sectors and entities critical to the economy and society.
- Enhanced Cooperation: Strengthen mechanisms for information sharing and coordinated responses to cross-border cyber incidents.
- Improved Supply Chain Security: Recognize and mitigate risks arising from dependencies on third-party suppliers and service providers.
- Streamlined Reporting: Simplify and align incident reporting obligations to reduce administrative overhead.
Objectives of the NIS2 Directive:
- Achieve High Common Level of Cybersecurity: Ensure that all Member States and entities within the scope adopt robust cybersecurity measures.
- Enhance Risk Management and Incident Reporting: Mandate comprehensive risk management practices and timely reporting of significant incidents.
- Strengthen Supply Chain Security: Address vulnerabilities in the supply chain by imposing obligations on entities to assess and manage third-party risks.
- Improve Cooperation and Information Sharing: Facilitate better collaboration between Member States and relevant stakeholders to respond effectively to cyber threats.
- Harmonize Supervisory and Enforcement Measures: Introduce consistent supervisory actions and penalties across the EU to ensure uniform compliance.
Key Changes Introduced in NIS2:
- Expanded Scope and Coverage:
- Broader Range of Sectors: NIS2 includes additional sectors such as manufacturing, waste management, postal services, and space.
- Essential and Important Entities: Distinguishes between ‘essential’ and ‘important’ entities, both subject to obligations, but with varying levels of supervisory measures.
- Size Cap Removal: Applies to medium and large entities, removing previous thresholds that excluded certain organizations based on size.
- Enhanced Governance Requirements:
- Management Accountability: Management bodies are directly responsible for approving cybersecurity measures and can be held liable for non-compliance.
- Mandatory Training: Requires that management bodies receive training in cybersecurity risk management.
- Stricter Risk Management and Security Measures:
- Comprehensive Risk Assessments: Entities must conduct thorough risk assessments and implement appropriate technical and organizational measures.
- Incident Handling and Business Continuity: Obligations include incident response planning, crisis management, and business continuity strategies.
- Streamlined Reporting Obligations:
- Simplified Processes: Harmonizes reporting procedures to reduce complexity, with clear timelines and requirements.
- Reporting Thresholds: Defines what constitutes a significant incident, reducing ambiguity.
- Supply Chain and Third-Party Risk Management:
- Assessment of Suppliers: Entities must evaluate the cybersecurity practices of their suppliers and service providers.
- Contractual Obligations: Encourage incorporating cybersecurity requirements into contracts with third parties.
- Enhanced Supervision and Enforcement:
- Risk-Based Supervision: Authorities adopt a risk-based approach to supervising essential and important entities.
- Harmonized Penalties: Introduces administrative fines proportionate to the entity’s turnover, aligning with practices like those in the GDPR.
- Cooperation and Information Sharing:
- Cooperation Group: Strengthens the role of the Cooperation Group to facilitate strategic cooperation.
- CSIRTs Network: Enhances the network of Computer Security Incident Response Teams for operational cooperation.
- Jurisdiction and Territoriality:
- Non-EU Entities: Obligates entities outside the EU that offer services within the EU to comply with NIS2 and appoint an EU representative.
- Main Establishment: Defines criteria for determining an entity’s main establishment in the EU.
- Alignment with Other Legislation:
- Synergy with Other Acts: Ensures coherence with other EU regulations like the Digital Operational Resilience Act (DORA) and the Critical Entities Resilience Directive (CER).
How NIS2 Addresses Previous Shortcomings:
- Consistency Across Member States: Reduces fragmentation by standardizing requirements and supervisory practices.
- Comprehensive Coverage: Addresses gaps by including more sectors and ensuring that critical entities of all sizes are subject to cybersecurity obligations.
- Clear Obligations and Definitions: Provides precise definitions and requirements to eliminate ambiguities that hindered the original directive’s implementation.
- Strong Enforcement Mechanisms: Implements harmonized penalties and enforcement actions to ensure compliance is taken seriously across all Member States.
- Enhanced Cooperation Frameworks: Strengthens cooperation at both strategic and operational levels to improve collective resilience against cyber threats.
The NIS2 Directive represents a significant advancement in the EU’s efforts to bolster cybersecurity. By learning from the challenges of the original NIS Directive, NIS2 introduces comprehensive measures to ensure that organizations across the EU adopt robust cybersecurity practices. Understanding these changes is crucial for entities to comply effectively and contribute to a more secure digital environment.
Navigating NIS2 Compliance: Is Your Organization Prepared?
October 1, 2024 - The Business Continuity InstituteThe Network and Information Systems Directive (NIS2)[1] is an update on the NIS directive of 2018 that responds to the growing threats associated with digitalisation and the surge in cyber-attacks. It aims to bring an enhanced common level of cybersecurity to Europe by protecting critical infrastructure and ensuring digital service providers have effective security measures in place.
Commission ponders what makes a ‘significant’ cybersecurity incident under NIS2
October 3, 2024 - EURACTIVThe latest draft of the implementing act seen by Euractiv defines a “significant” incident as one that harms health or causes financial losses over €500,000 or 5% of turnover.
NIS2 compliance hampered across EU as October deadline approaches
September 17, 2024 - Pinsent MasonsEmbedding cybersecurity controls into everyday business processes can help businesses comply with wide-ranging new EU cyber legislation that is due to take effect next month, but that task is being made more difficult by slow progress by EU countries in implementing required laws.
Network and Information Security Directive (NIS2)
October 4, 2024 - Arthur CoxThe NIS 2 Directive, formally known as Directive (EU) 2022/2555, represents a significant advancement in the European Union’s approach to cybersecurity. Building on the foundations of the original NIS Directive, NIS 2 expands its scope to cover a broader range of sectors and entities, ensuring that critical infrastructure across the EU is better protected against cyber threats. The directive introduces stricter cybersecurity requirements, including enhanced measures for securing supply chains and streamlined reporting obligations.
How UK firms can get ready for the implementation of NIS2
August 9, 2024 - ComputerWeekly.comThe law compels European organisations to strengthen the cyber security of their supply chains. So, if UK businesses supply their products and services to EU-based customers, they must comply with NIS2 requirements. Thacker says this is key to allowing them to “maintain operations and relationships with EU clients and partners”.
NIS2 Directive: New draft implementing regulations published
June 28, 2024 - noerr.comThe Network and Information Security Directive 2.0 (“NIS2 Directive”), which was adopted at the end of 2022, is still the subject of extensive discussions on legal policy. It requires companies in certain sectors and industries above a certain company or group size to implement cybersecurity risk management measures. As a European directive, the NIS2 Directive is not directly applicable to companies, but must first be implemented by the EU Member States in their national jurisdictions. National legislators have until 17 October 2024 to do so.
NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents
July 8, 2024 - Inside PrivacyMany companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.
Demystifying NIS2 Directive: What UK Businesses Need to Know | NIS2 Explained
Understanding the New NIS2 Directive: Compliance for EU Businesses
NIS2 Explained: Cybersecurity Essentials | Peter Rising MVP
NIS2 Directive Summary For Beginners
Sophos Spotlight: NIS2 Directive and Understanding Cybersecurity Compliance
How ISO27001 certification can help you comply with DORA, NIS2 and even the AI Act
Guide to DORA and NIS2 - EU Compliance
Discover more from The Global Centre for Risk and Innovation (GCRI)
Subscribe to get the latest posts sent to your email.