NIS2 Directive: what you need to know
What is NIS2?
The NIS2 Directive (Network and Information Security Directive) is a European regulation focusing on cyber security and the resilience of critical infrastructures and digital service providers.
Its introduction was motivated by the increase in cyber threats and the growing reliance on digital technologies across all critical sectors.
The NIS2 Directive is an important step toward greater regulation of cyber security throughout the European Union.
It builds on the foundations laid by NIS1, its predecessor, and aims to address the expansion of digital infrastructure in all critical sectors.
The EU initiated this regulation to respond to contemporary challenges and protect the digital landscape, safeguarding economic and social interests.
What NIS2 Envisions
The NIS2 Directive envisions the implementation of a holistic and structured approach to reduce risks and prevent cyber threats to sensitive data and IT systems.
The requirements include a wide range of tools and methodologies that encompass protecting the IT environment from attacks such as Ransomware, Phishing, and unauthorized access.
Here are the main features of NIS2:
Risk Management: The Directive requires the execution of a comprehensive Cyber Risk Governance framework, establishing specific roles, responsibilities, and escalation paths.
This signals to organizations the need to enhance their cybersecurity vigilance and protect their operations and reputation.
Information Management: information is the lifeblood of modern businesses, and the NIS2 Directive emphasizes its secure management. Compliant organizations must demonstrate effective information security procedures, from encryption methods and secure data transmission channels to regular cybersecurity training for staff.
Security Enhancement: the Directive requires raising cybersecurity standards both in preventive defense and response procedures, and companies must demonstrate adherence to the Directive’s guidelines to avoid hefty penalties.
Expansion of Applicability: the NIS2 Directive surpasses the NIS division of Operators of Essential Services (OES) and introduces a broader division between essential and important entities, which must be identified by individual states by April 17, 2025.
Risk of Trust Loss: non-compliance with the NIS2 Directive can result in a significant loss of trust from customers, partners, and investors, as data breaches and cyber attacks become increasingly widespread.
Risk of Penalties: corporate executives are personally responsible for adhering to the NIS2 Directive, meaning they can be held personally accountable in case of non-compliance. This entails severe financial consequences, such as potential fines and damage compensation claims.
When will the NIS2 Directive come into force?
The EU cyber security rules introduced in 2016 have been updated by the NIS2 directive, which entered into force in 2023.
The requirements imposed by the Directive will become effective from the day after the date of transposition by the Member States, set for 17 October 2024.
NIS2 has modernised the existing legal framework to keep pace with increased digitalization and an evolving landscape of cyber security threats.
Compliance Requirements for Critical Infrastructures under the NIS2 Directive
The NIS2 Directive (Network and Information System Security) focuses on cyber security and the resilience of critical infrastructures and digital service providers within the European Union.
The compliance requirements for critical infrastructures under the NIS2 Directive are identified as follows:
- Risk Analysis and Cybersecurity Policies: critical infrastructures must conduct risk analyses and establish cybersecurity policies to protect their operations and customer data.
- Incident Management (Threat Response, Operational Continuity, and Recovery): critical infrastructures must activate effective incident management procedures, including threat response, operational continuity, and service recovery.
- Supply Chain Security: critical infrastructures must ensure the security of the supply chain, protecting the data and information passing through the supply chain.
Who the NIS2 Directive applies to
The NIS2 Directive applies to sectors considered essential for the development of the economy and market within the European Union, such as:
- Energy: the production, transmission, and distribution of electricity are considered critical infrastructures for energy security and economic stability in the EU.
- Transport: transport services, such as traffic management systems, railway stations, and airports, are considered critical infrastructures for safety and citizen mobility.
- Banking and Finance: banks and financial institutions are considered critical infrastructures for economic stability and the security of citizens’ deposits.
- Healthcare: healthcare systems, such as care centers and healthcare facilities, are considered critical infrastructures for public health and patient safety.
- Digital Infrastructures: communication systems, such as the internet and telecommunication infrastructures, are considered critical infrastructures for communication and citizen connectivity.
- Postal Services: postal services, such as mail and parcel delivery, are considered critical infrastructures for communication and citizen connectivity.
- Public Administration: government structures and public agencies are considered critical infrastructures for public policy management and citizen safety.
- Digital Service Providers: digital service providers, such as payment service providers and security service providers, are considered critical infrastructures for security and economic stability in the EU.
How the NIS2 Directive can help SMEs improve their competitiveness
The NIS2 Directive can help SMEs (small and medium-sized enterprises) to improve their competitiveness in several ways:
- Reduce the risk of cyber attacks: NIS2 requires organizations to take cyber security measures to reduce the risk of attacks and incidents, protecting their systems and data against cyber threats. This proactive approach helps reduce downtime and minimise economic damage caused by computer incidents.
- Improving System Resilience: the NIS2 Directive promotes a multi-risk approach to reduce vulnerabilities and prevent incidents, improving IT risk management and system security. This approach helps ensure business continuity and reduce recovery times in the event of accidents.
- Competitiveness: SMEs that take the security measures required by the NIS2 Directive can boast of increased competitiveness, demonstrating commitment to data protection to partners and customers. This approach helps strengthen customer confidence and improve business reputation.
- Collaboration between companies and authorities: the NIS2 Directive promotes collaboration between companies and national authorities, favoring a coordinated approach to cybersecurity. This approach helps to strengthen corporate cyber resilience not only internally, but also in the network of suppliers and business partners.
- Governance and risk management: the NIS2 Directive requires organizations to assess risks, including those related to the supply chain, and implement the necessary organizational measures to ensure business continuity. This approach helps to improve risk management and reduce downtime.
- Supply Chain: SMEs must consider the vulnerabilities and the practices of cybersecurity for every own supplier, avoiding incidents or interruptions of the service. This approach helps ensure security and business continuity even in the supply chain.
- Administrative penalties: key operators may be subject to administrative fines of up to €10 million or 2% of total global global turnover if they do not meet safety requirements. This approach helps incentivize organizations to comply with security requirements.