The NIS2 Directive is a significant update to the previous NIS Directive, which was adopted in 2016. The new directive reflects the increasing importance of cybersecurity in the EU, and the need for a more comprehensive and coordinated approach to addressing this issue.
In this blog, we’ll take a thorough look at the NIS2 Directive, including why it was introduced, the difference between the NIS2 Directive and NIS1, and the adoption timeline.
What is the NIS2 Directive
The Network and Information Security Directive (NIS2 Directive) is a European Union directive that regulates the security of digital networks and information systems across the EU and provides a common framework for security measures to be implemented. It is part of the European Digital Single Market strategy, and is applicable to all EU member states. It applies to operators of essential services, digital service providers, and digital infrastructure providers.
Why was the NIS2 Directive Introduced?
NIS2 was developed in response to the increasing number cybersecurity threats that exist in today’s digital world. A common framework was thus required to ensure the security, availability and continuity of essential services and to protect the security and privacy of digital networks and information systems.
The NIS2 directive aims to:
- Analyze risks and develop information systems security policies;
- Develop business continuity and crisis management plans;
- Develop plans for incident detection, prevention and remediation;
- Focus on supply chain security;
- Use encryption to secure data at rest and in transit.
The Differences Between the NIS1 and NIS2 Directives
The NIS2 Directive is a significant step forward in the European Union’s efforts to improve cybersecurity. It is expected to help to protect critical infrastructure and businesses from cyberattacks.
Here is a table summarizing the key differences between the NIS1 and NIS2 Directives:
Characteristic | NIS1 Directive | NIS2 Directive |
---|---|---|
Scope | Applies to operators of essential services | Applies to essential entities and important entities |
Cybersecurity requirements | Less comprehensive and explicit | More comprehensive and explicit |
Supervision and enforcement | Weaker | Stronger |
Supply chain security | Not explicitly mentioned | Requires entities to take steps to mitigate the risks posed by their supply chains |
Cyber hygiene | Not explicitly mentioned | Encourages entities to adopt good cyber hygiene practices |
Who Does the NIS2 Directive Apply To?
It is important to assess whether your organization is within the scope of the NIS2 and what your obligations may be. The NIS2 may affect your organization if you are a digital service provider, digital infrastructure provider, or an operator of essential services. NIS2 applies to any organisation with more than 50 employees, whose annual turnover exceeds €10 million, and belongs to one of the following industries:
- Electronic communication
- Digital services
- Space
- Waste management
- Food
- Critical product manufacturing (i.e. medicine)
- Postal services
- Public administration
What’s Changing in NIS2?
The NIS2 Directive introduces a number of new requirements, such as the requirement for organizations to create and maintain a security policy, to carry out periodic risk assessments, to report security incidents, and to develop continuity plans for essential services. It also introduces specific requirements for digital service providers and digital infrastructure providers. In addition to expanding the list of covered industries and eliminating the distinction between DSPs and OES’s, NIS2 introduces the following changes:
- The introduction of a European Cyber Crises Liaison Organization Network (EU-CyCLONe), which is designed to support the coordinated management of large-scale cybersecurity incidents.
- Better threat intelligence and coordination relating to new vulnerabilities discovered throughout the Union.
- A minimum list of basic security elements that must be applied, including more detailed information about how incidents are reported.
- Stricter supervisory measures and enforcement requirements, and better harmonization of sanctioning across Member States.
- Coordinated risk assessments of critical supply chains conducted by Member States – in cooperation with the Commission and ENISA.
Adoption Timeline for NIS2 And Next Steps
The NIS2 directive was officially adopted by the European Parliament and the European Council on November 15, 2022, although Member States have until 17 October 2024 to adopt and publish the measures necessary to comply with the NIS 2 Directive.
Organizations are legally required to apply those measures from 18 October 2024 onwards.
Organizations should begin to assess the impact of the NIS2 on their organization and plan their compliance strategy. It is important to ensure that adequate security measures are in place to meet the requirements of the NIS2, sooner rather than later.
If you’d like to see how Lepide can help you prepare for NIS2, schedule a demo with one of our engineers today.