About NIS 2

Directive on measures for a high common level of cybersecurity across the Union (NIS 2)

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union

Directive on the Resilience of Critical Entities (CER)

Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC

Digital Operational Resilience Act (DORA)

Directive (EU) 2022/2554 of the European Parliament and of the Council o of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations

Proposal for the new Cyber Resilience Act (CRA)

Proposal: Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020

List of essential services

Commission Delegated Regulation (EU) 2023/2450 of 25 July 2023 supplementing Directive (EU) 2022/2557 of the European Parliament and of the Council by establishing a list of essential services

EU Agency for Cybersecurity

Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity)

The European Data Act

Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data.

European laws and regulations in the context of cybersecurity

MORE INFORMATION

The NIS2 Directive enhances EU cybersecurity, expanding requirements across sectors to improve resilience, risk management, and supply chain security.

Read the text

NIS 2 and Its Implications for Cybersecurity

The Network and Information Security Directive 2 (NIS2) is a groundbreaking legislative framework introduced by the European Union, building on the foundation laid by the original NIS Directive. As the digital landscape continues to evolve, so too do the threats that target critical infrastructures and essential services. NIS2 addresses these challenges by expanding the scope of cybersecurity requirements and increasing the obligations for organizations across both the public and private sectors. The directive’s primary goal is to bolster the cybersecurity resilience of the EU, ensuring that critical infrastructures, supply chains, and essential services are fortified against an ever-growing and sophisticated array of cyber threats.

The Evolution from NIS to NIS 2

he original NIS Directive, adopted in 2016, was a significant step forward in enhancing the cybersecurity posture of the EU. It established the first set of binding rules for cybersecurity across the Union, requiring member states to develop national strategies and imposing cybersecurity obligations on operators of essential services (OES) and digital service providers (DSPs). However, as cyber threats have evolved in complexity and scope, the limitations of the original NIS Directive became apparent.

NIS 2 represents the EU’s response to these evolving challenges. It not only updates the provisions of the original directive but also significantly expands its scope. The directive now covers additional sectors, including manufacturing, postal and courier services, waste management, and food production, among others. By broadening the range of sectors required to implement robust cybersecurity measures, NIS 2 ensures that a greater portion of the EU’s critical infrastructure is protected from cyber threats.

Key Provisions of NIS2

NIS 2 introduces several key provisions designed to strengthen the cybersecurity posture of organizations across the EU.

Broadened Scope of Application

NIS 2 applies to a wider range of sectors and entities than the original directive. This includes both public and private entities in industries that were previously not covered, recognizing that cyber threats can target any part of the economy with potentially devastating effects.

Stronger Risk Management and Reporting Requirements

Organizations under the scope of NIS 2 are required to implement comprehensive risk management practices. This includes regular risk assessments, the implementation of appropriate cybersecurity measures, and the establishment of clear protocols for incident reporting and response.

Enhanced Supply Chain Security

One of the most significant updates in NIS 2 is its emphasis on the security of supply chains. The directive recognizes that vulnerabilities in one part of the supply chain can have widespread implications, and therefore requires organizations to ensure that their suppliers and partners adhere to robust cybersecurity standards.

Increased Accountability and Penalties

NIS 2 introduces stricter enforcement mechanisms and higher penalties for non-compliance. This reflects the EU’s commitment to ensuring that organizations take cybersecurity seriously and invest in the necessary measures to protect their operations and customers.

Mandatory Cooperation and Information Sharing

NIS 2 encourages cooperation and information sharing among member states, as well as between the public and private sectors. This collaborative approach is essential for effectively responding to cross-border cyber threats and ensuring a coordinated response to incidents.

Emphasis on Cybersecurity Governance

Cybersecurity governance under NIS 2 mandates that organizations develop clear policies and procedures that define roles, responsibilities, and accountability across all levels of the organization. This ensures that cybersecurity is not just an IT issue but a critical component of overall business strategy.

How NIS 2 Impacts Organizations

The impact of NIS 2 on organizations cannot be overstated. The directive’s expanded scope and stricter requirements compel companies to adopt a proactive, comprehensive approach to cybersecurity. Those in newly covered sectors must swiftly adapt, implementing robust risk management strategies, strengthening incident response protocols, and securing their supply chains. Compliance with NIS 2 is now crucial for maintaining business resilience and safeguarding against evolving cyber threats.

One of the most critical aspects of NIS 2 is its focus on supply chain security. In today’s interconnected digital ecosystem, the security of your organization is only as strong as the weakest link in your supply chain. NIS 2 recognizes this and places significant emphasis on ensuring that all suppliers and partners adhere to rigorous cybersecurity standards. This requires organizations to conduct thorough risk assessments of their supply chains, implement stringent cybersecurity measures, and continuously monitor for potential vulnerabilities.

Get NIS 2 Supply Chain Risk Checklist

Download our free NIS2 Supply Chain Risk Checklist to ensure your organization meets the latest cybersecurity compliance standards effortlessly.

DOWNLOAD FOR FREE