About NIS 2

The NIS2 Directive enhances EU cybersecurityCybersecurity ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) 'cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats; - Definition according Article 2, point (1), of Regulation (EU) 2019/881;, expanding requirements across sectors to improve resilience, riskRisk Means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) management, and supply chain security.

Read the text

NIS 2 and Its Implications for Cybersecurity

The Network and Information Security Directive 2 (NIS2) is a groundbreaking legislative framework introduced by the European Union, building on the foundation laid by the original NIS Directive. As the digital landscape continues to evolve, so too do the threats that target critical infrastructures and essential services. NIS2 addresses these challenges by expanding the scope of cybersecurity requirements and increasing the obligations for organizations across both the public and private sectors. The directive’s primary goal is to bolster the cybersecurity resilience of the EU, ensuring that critical infrastructures, supply chains, and essential services are fortified against an ever-growing and sophisticated array of cyber threats.

The Evolution from NIS to NIS 2

he original NIS Directive, adopted in 2016, was a significant step forward in enhancing the cybersecurity posture of the EU. It established the first set of binding rules for cybersecurity across the Union, requiring member states to develop national strategies and imposing cybersecurity obligations on operators of essential services (OES) and digital serviceDigital service means any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. For the purposes of this definition: (i) ‘at a distance’ means that the service is provided without the parties being simultaneously present; (ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means; (iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request. - Definition according Article 1(1), point (b), of Directive (EU) 2015/1535 of the European Parliament and of the Council providers (DSPs). However, as cyber threats have evolved in complexity and scope, the limitations of the original NIS Directive became apparent.

NIS 2 represents the EU’s response to these evolving challenges. It not only updates the provisions of the original directive but also significantly expands its scope. The directive now covers additional sectors, including manufacturing, postal and courier services, waste management, and food production, among others. By broadening the range of sectors required to implement robust cybersecurity measures, NIS 2 ensures that a greater portion of the EU’s critical infrastructure is protected from cyber threats.

Key Provisions of NIS2

NIS 2 introduces several key provisions designed to strengthen the cybersecurity posture of organizations across the EU.

Broadened Scope of Application

NIS 2 applies to a wider range of sectors and entities than the original directive. This includes both public and private entities in industries that were previously not covered, recognizing that cyber threats can target any part of the economy with potentially devastating effects.

Stronger Risk Management and Reporting Requirements

Organizations under the scope of NIS 2 are required to implement comprehensive risk management practices. This includes regular risk assessments, the implementation of appropriate cybersecurity measures, and the establishment of clear protocols for incidentIncident Means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) reporting and response.

Enhanced Supply Chain Security

One of the most significant updates in NIS 2 is its emphasis on the security of supply chains. The directive recognizes that vulnerabilities in one part of the supply chain can have widespread implications, and therefore requires organizations to ensure that their suppliers and partners adhere to robust cybersecurity standards.

Increased Accountability and Penalties

NIS 2 introduces stricter enforcement mechanisms and higher penalties for non-compliance. This reflects the EU’s commitment to ensuring that organizations take cybersecurity seriously and invest in the necessary measures to protect their operations and customers.

Mandatory Cooperation and Information Sharing

NIS 2 encourages cooperation and information sharing among member states, as well as between the public and private sectors. This collaborative approach is essential for effectively responding to cross-border cyber threats and ensuring a coordinated response to incidents.

Emphasis on Cybersecurity Governance

Cybersecurity governance under NIS 2 mandates that organizations develop clear policies and procedures that define roles, responsibilities, and accountability across all levels of the organization. This ensures that cybersecurity is not just an IT issue but a critical component of overall business strategy.

How NIS 2 Impacts Organizations

The impact of NIS 2 on organizations cannot be overstated. The directive’s expanded scope and stricter requirements compel companies to adopt a proactive, comprehensive approach to cybersecurity. Those in newly covered sectors must swiftly adapt, implementing robust risk management strategies, strengthening incident response protocols, and securing their supply chains. Compliance with NIS 2 is now crucial for maintaining business resilience and safeguarding against evolving cyber threats.

One of the most critical aspects of NIS 2 is its focus on supply chain security. In today’s interconnected digital ecosystem, the security of your organization is only as strong as the weakest link in your supply chain. NIS 2 recognizes this and places significant emphasis on ensuring that all suppliers and partners adhere to rigorous cybersecurity standards. This requires organizations to conduct thorough risk assessments of their supply chains, implement stringent cybersecurity measures, and continuously monitor for potential vulnerabilities.

Get NIS 2 Supply Chain Risk Checklist

Download our free NIS2 Supply Chain Risk Checklist to ensure your organization meets the latest cybersecurity compliance standards effortlessly.

DOWNLOAD FOR FREE

Directive on measures for a high common level of cybersecurity across the Union (NIS 2)

Directive on the Resilience of Critical Entities (CER)

Digital Operational Resilience Act (DORA)

Proposal for the new Cyber Resilience Act (CRA)

List of essential services

EU Agency for Cybersecurity

The European Data Act

European laws and regulations in the context of cybersecurity