In This Article

What is the NIS2 Directive and How to Prepare for It

Terry Mann
| Read Time 4 min read| Updated On - September 5, 2023

NIS2 Directive

The NIS2 Directive is a significant update to the previous NIS Directive, which was adopted in 2016. The new directive reflects the increasing importance of cybersecurity in the EU, and the need for a more comprehensive and coordinated approach to addressing this issue.

In this blog, we’ll take a thorough look at the NIS2 Directive, including why it was introduced, the difference between the NIS2 Directive and NIS1, and the adoption timeline.

What is the NIS2 Directive

The Network and Information Security Directive (NIS2 Directive) is a European Union directive that regulates the security of digital networks and information systems across the EU and provides a common framework for security measures to be implemented. It is part of the European Digital Single Market strategy, and is applicable to all EU member states. It applies to operators of essential services, digital service providers, and digital infrastructure providers.

Why was the NIS2 Directive Introduced?

NIS2 was developed in response to the increasing number cybersecurity threats that exist in today’s digital world. A common framework was thus required to ensure the security, availability and continuity of essential services and to protect the security and privacy of digital networks and information systems.

The NIS2 directive aims to:

  • Analyze risks and develop information systems security policies;
  • Develop business continuity and crisis management plans;
  • Develop plans for incident detection, prevention and remediation;
  • Focus on supply chain security;
  • Use encryption to secure data at rest and in transit.

The Differences Between the NIS1 and NIS2 Directives

The NIS2 Directive is a significant step forward in the European Union’s efforts to improve cybersecurity. It is expected to help to protect critical infrastructure and businesses from cyberattacks.

Here is a table summarizing the key differences between the NIS1 and NIS2 Directives:

Characteristic NIS1 Directive NIS2 Directive
Scope Applies to operators of essential services Applies to essential entities and important entities
Cybersecurity requirements Less comprehensive and explicit More comprehensive and explicit
Supervision and enforcement Weaker Stronger
Supply chain security Not explicitly mentioned Requires entities to take steps to mitigate the risks posed by their supply chains
Cyber hygiene Not explicitly mentioned Encourages entities to adopt good cyber hygiene practices

Who Does the NIS2 Directive Apply To?

It is important to assess whether your organization is within the scope of the NIS2 and what your obligations may be. The NIS2 may affect your organization if you are a digital service provider, digital infrastructure provider, or an operator of essential services. NIS2 applies to any organisation with more than 50 employees, whose annual turnover exceeds €10 million, and belongs to one of the following industries:

  • Electronic communication
  • Digital services
  • Space
  • Waste management
  • Food
  • Critical product manufacturing (i.e. medicine)
  • Postal services
  • Public administration

What’s Changing in NIS2?

The NIS2 Directive introduces a number of new requirements, such as the requirement for organizations to create and maintain a security policy, to carry out periodic risk assessments, to report security incidents, and to develop continuity plans for essential services. It also introduces specific requirements for digital service providers and digital infrastructure providers. In addition to expanding the list of covered industries and eliminating the distinction between DSPs and OES’s, NIS2 introduces the following changes:

  • The introduction of a European Cyber Crises Liaison Organization Network (EU-CyCLONe), which is designed to support the coordinated management of large-scale cybersecurity incidents.
  • Better threat intelligence and coordination relating to new vulnerabilities discovered throughout the Union.
  • A minimum list of basic security elements that must be applied, including more detailed information about how incidents are reported.
  • Stricter supervisory measures and enforcement requirements, and better harmonization of sanctioning across Member States.
  • Coordinated risk assessments of critical supply chains conducted by Member States – in cooperation with the Commission and ENISA.

Adoption Timeline for NIS2 And Next Steps

The NIS2 directive was officially adopted by the European Parliament and the European Council on November 15, 2022, although Member States have until 17 October 2024 to adopt and publish the measures necessary to comply with the NIS 2 Directive.

Organizations are legally required to apply those measures from 18 October 2024 onwards.

Organizations should begin to assess the impact of the NIS2 on their organization and plan their compliance strategy. It is important to ensure that adequate security measures are in place to meet the requirements of the NIS2, sooner rather than later.

If you’d like to see how Lepide can help you prepare for NIS2, schedule a demo with one of our engineers today.

Terry Mann
Terry Mann

Terry is an energetic and versatile Sales Person within the Internet Security sector, developing growth opportunities as well as bringing on net new opportunities.

Popular Blog Posts