Background:

NIS2 is the successor of the original Network and Information Security (NIS) Directive, an EU-wide legislation on cybersecurity adopted in July 2016 with an aim to enhance the security of network and information systems across the European Union. Its initial focus was on organisations operating within critical sectors such as energy, transport, water, finance, digital infrastructure and healthcare while also considering ex-post supervision for critical digital service providers (such as online marketplaces, cloud providers and online search engines).

The deadline for EU Member states to transpose the directive into national law was initially set to May 9th 2018.

However, the rapidly evolving cyber threat landscape, the surge in cyber-attacks as well as inconsistent implementation rules and lack of harmonisation across the different Member States and business sectors had prompted the European Commission to propose a new directive (NIS2) which would repeal and replace the existing NIS Directive (NIS1). This was formally adopted in November 2022, giving the EU member states until October 17th 2024 to incorporate the measures into their national laws. By this date, all affected entities had to comply with the new cybersecurity standards.

Key Objectives of NIS2:

The NIS2 Directive is built on several key objectives designed to create a more resilient digital ecosystem in the EU:

1. Broader Scope: NIS2 significantly expands the sectors covered by the directive. While the original NIS focused on critical infrastructure, NIS2 includes a wider range of sectors, such as public administration, space, food production, and waste management. This broader scope reflects the increasing interdependence of different sectors in the digital age.
2. Stronger Security Requirements: NIS2 introduces more stringent cybersecurity requirements for organizations within its scope. These include obligations to implement appropriate security measures, conduct risk assessments and establish incident response capabilities. The directive also emphasizes the need for organizations to ensure the security of their supply chains.
3. Enhanced Cooperation and Information Sharing: One of the major goals of NIS2 is to improve cooperation and information sharing between EU member states. The directive establishes a framework for the exchange of information and best practices, enabling a more coordinated response to cross-border cyber threats.
4. Harmonization of National Approaches: NIS2 aims to harmonize the different approaches to cybersecurity across EU member states. This includes establishing common criteria for identifying critical entities and defining minimum security requirements, which helps create a more consistent level of protection across the EU.
5. Improved Incident Reporting: The directive mandates that organizations report significant cybersecurity incidents to relevant national authorities within 24 hours of detection. This rapid reporting requirement is intended to enable quicker responses and mitigate the impact of cyber incidents.

Entities affected by NIS2:

NIS2 Directive affects all entities that provide essential or important services to the European economy and society, including companies and suppliers. Size threshold for Essential Entities varies by sector but generally means 250+ employees and an annual turnover of 50 million Euros or balance sheet of 43 million Euros. Important entities size thresholds vary by sector but generally means 50+ employees and an annual turnover of 10 million Euros or balance sheet of 10 million Euros. An entity may still be considered “essential” or “important” even if it does not meet the size criteria in specific cases such as when it is the sole provider of a critical service for societal or economic activity in an EU Member State.

Conclusion:

The NIS2 Directive represents a significant step forward in the EU’s efforts to enhance cybersecurity across the region. By expanding the scope of the original directive and introducing more stringent requirements, NIS2 aims to create a more secure and resilient digital ecosystem. While the directive presents challenges (particularly for smaller organisations that may lack the resources to implement the required measures) it also offers an opportunity to strengthen their cybersecurity posture and contribute to a safer digital environment.

Organizations operating within the EU must take the necessary steps to comply with NIS2 by the 17th of October 2024, ensuring that they are prepared to meet the directive’s requirements and protect themselves against the growing threat of cyberattacks. By doing so, they will not only fulfil their legal obligations but also enhance their overall security and competitiveness in an increasingly digital world.

Get in touch to discover how we can support you on your NIS 2 journey.