NIS Directive: A Recap
The Network and Information Security (NIS) Directive is the first EU cybersecurity law, introduced to achieve a high, common security standard of network and information systems across member states.
Its first iteration (‘NIS1’) was launched in 2016, and it outlined new precautions and reporting obligations for critical infrastructure and essential services. While it was effective in many ways, its requirements were interpreted differently between EU states, leading to fragmented implementation. This prompted the EU commission to propose the revised NIS2 Directive.
The Directive’s refresh is making a timely arrival. Not only does it resolve previous limitations, but it’s also been updated in response to new challenges and today’s highly digital post-pandemic landscape. This includes a refreshed and expanded regulatory framework, new multifactor authentication requirements, stricter reporting obligations, and stricter measures for enforcement.
NIS2 also takes corporate accountability and sanctions to the next level – including criminal sanctions for C-level management if gross negligence is proven after a cybersecurity incident.
NIS2 has a broader scope than NIS1, covering 15 sectors (up from 7) to enhance Europe’s long-term cybersecurity. It also has a stronger emphasis on IT supply chains, potentially impacting businesses outside of its direct scope. Additionally, the new Directive will affect entities outside the EU that provide essential or important services to the European economy and society (including companies and suppliers).
All in all, more than 100,000 organisations will need to meet NIS2 requirements by the October 2024 deadline.
NIS2 Highlights
More affected sectors
The number of sectors affected by NIS2 (compared to NIS1) has more than doubled from 7 to 15.
Stricter requirements
Compared to NIS1, NIS2 enforces more stringent measures and obligations.
Tougher ramifications
As well as heavy fines, NIS2 noncompliance can lead to tougher legal ramifications.
