Cybersecurity regulations are designed to ensure that critical industries take the very real threats of cyberattacks seriously. The European Union (EU) has taken a significant step towards bolstering its existing cybersecurity framework with the introduction of the NIS2 Directive. Adopted on 14 December 2022, this directive aims to establish a high common level of cybersecurity across the Union, addressing the shortcomings of its predecessor, Directive (EU) 2016/1148 (NIS). Member States are tasked with implementing the necessary measures by 17 October 2024, with enforcement beginning the next day.
Background
The NIS2 Directive emerges as a response to the deficiencies identified in the previous NIS Directive, which served as a groundbreaking initiative by the European Union to fortify the cybersecurity posture across its member states. Originally adopted in July 2016 and implemented in August 2016, the directive aimed to establish a common level of network and information security. It primarily focused on enhancing the overall resilience of operators of essential services and digital service providers, recognizing the interconnectedness of critical infrastructure in the digital era.
In its implementation, the first NIS Directive marked a pivotal step in acknowledging the growing threats posed by cyber incidents and sought to ensure a coordinated and harmonized response to these challenges among EU member states. By mandating the identification of essential service operators, promoting risk management practices, and requiring incident reporting, the NIS Directive laid the foundation for a collaborative approach to cybersecurity within the European Union. However, the evolving nature of cyberthreats necessitates a comprehensive and adaptive cybersecurity framework, prompting the European Parliament and Council to enact the more comprehensive measures found in NIS2.
7 Key Changes and Expansions
Scope Expansion
The NIS2 Directive expands its scope by including new sectors crucial for the economy and society. A clear size cap is being introduced, encompassing medium and large companies, with flexibility for Member States to identify smaller entities with high security risk profiles.
Classification of Entities
In a departure from the previous approach, the directive eliminates the distinction between operators of essential services and digital service providers. Entities are now classified into essential and important categories, subject to distinct supervisory regimes.
Security and Reporting Requirements
To enhance cybersecurity measures, the directive imposes a risk management approach on companies. A minimum list of basic security elements is introduced, accompanied by precise provisions on incident reporting, report content, and timelines.
Supply Chain Security
Recognizing the critical role of supply chains, the directive mandates individual companies to address cybersecurity risks in their supply chains and supplier relationships. At the European level, a strengthened approach is taken to secure key information and communication technologies.
Supervisory Measures and Enforcement
Stricter supervisory measures for national authorities, enhanced enforcement requirements, and harmonization of sanctions regimes across Member States aim to create a more unified and effective cybersecurity enforcement framework.
Cooperation and Information Sharing
The directive enhances the role of the Cooperation Group in shaping strategic policy decisions, fostering increased information sharing and cooperation between Member State authorities. Operational cooperation, especially in cyber crisis management, is a key focus.
Coordinated Vulnerability Disclosure
The NIS2 Directive introduces a basic framework for coordinated vulnerability disclosure, engaging responsible key actors across the EU. It establishes an EU registry operated by the EU Agency for Cybersecurity (ENISA) to facilitate the disclosure process.
A More Secure Union
The NIS2 Directive marks a significant milestone in the EU's commitment to cybersecurity. By addressing the deficiencies of its predecessor and adapting to current needs, this directive establishes a comprehensive framework for businesses and organizations to navigate the complex and ever-changing landscape of cyber threats.
Looking for more on cybersecurity compliance? Learn about key regulations around the world in our blog.
What’s Next?
As the deadline for compliance approaches, businesses and organizations need to stay informed about the NIS2 Directive's provisions. Proactive adoption of the outlined measures will not only ensure compliance but also contribute to a more resilient and secure digital environment across the European Union.
Discover how OPSWAT solutions from IT to OT and everything in between can help your organization stay compliant with NIS2 and other key regulations—talk to an expert today.
