What is NIS2?

Chelsie Wyatt

What Is The NIS2 Directive?

Introduced in 2020, and recently coming into effect on January 16, 2023, the NIS2 Directive is a continuation and expansion of the previous EU cybersecurity directive, NIS. It was proposed by the European Commission to build upon and rectify the deficiencies of the original NIS directive.

NIS2 aims to enhance the security of network and information systems within the EU by requiring operators of critical infrastructure and essential services to implement appropriate security measures and report any incidents to the relevant authorities.

Compared to NIS, NIS2 expands its EU-wide security requirements and scope of covered organizations and sectors to improve the security of supply chains, simplify reporting obligations, and enforce more stringent measures and sanctions throughout Europe.

The directive requires all EU member states to incorporate it into their national laws by October 2024 and failing to do so can attract expensive fines. Compliance with the NIS2 Directive builds on the requirements of the original directive, aiming to protect critical infrastructure and organizations within the EU from cyber threats and strengthen the overall security posture.

Sectors covered by the NIS2 directive:

The NIS2 directive covers two main groups of entities:

  1. Essential Entities: Includes organizations maintaining vital societal functions, such as health, safety, security and economic or social well-being. A security incident within these entities can lead to widespread consequences, requiring these entities to adhere to higher cybersecurity standards and strict regulatory oversight.
  2. Important Entities: Includes organizations that play a significant role in the larger economic and social construct but are deemed less critical than essential entities. Their cybersecurity requirements are less stringent compared to essential identities.

As per the directive, all essential identities should be proactively supervised, while the important ones are to be monitored only after a non-compliance incident has been reported.