What is NIS2?
NIS2 is the revised Network and Information Systems Directive, which represents a significant step toward establishing a common level of cybersecurity across the European Union. It aims to bolster the resilience of essential services and digital service providers against cyber threats with consistent cybersecurity standards and practices.¹
The NIS2 Directive strengthens security requirements in the EU by expanding its scope to more sectors and entities, taking into account the security of supply chains, streamlining reporting obligations, introducing monitoring measures and more stringent enforcement requirements, adding the concept of “management bodies” accountability within companies, and harmonizing and tightening sanctions in all Member States.²
The NIS2 Directive is a major opportunity for all CISOs to strengthen their position within the company. The directive brings a notion of management accountability for cybersecurity risk management, as well as heavy penalties for offenders.
The expanding scope of NIS2
The scope of NIS2 has been expanded to cover more entities and sectors, effectively obliging them to take measures that will increase the level of cybersecurity in Europe in the longer term.
NIS2 extends the scope of NIS by adding new sectors, such as telecom, social media platforms, and public administration (i.e., entities of central and provincial governments). Entities falling within NIS2’s scope will be classified into two categories: operators of essential services and important entities.²
NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health, and digital infrastructure.³
When will NIS2 be implemented?
The NIS2 Directive entered into force on January 16, 2023, replacing the previous NIS Directive. It is intended to ensure a high common level of cybersecurity in the European Union.
How does NIS2 affect SMEs (Small and Medium Enterprises)?
The exact impact of the NIS2 Directive on SMEs may vary depending on the sector and specific requirements that apply to them. However, in general, it is expected that SMEs will need to invest in cybersecurity measures to comply with the NIS2 Directive and ensure the protection of their data and systems.
The current NIS2 proposal leaves Member States the discretion to define which SMEs are essential or important to their respective economy and society, thereby leading to a high level of legal ambiguity for the SMEs operating across multiple Member States.
Ensuring compliance with the new requirements of the NIS2 Directive may be a challenging and costly task for SMEs.¹
How does NIS2 compare to other cybersecurity regulations?
NIS2 is the successor of the Network and Information Security Directive (NISD), which was released in 2016. It is the first piece of EU-wide legislation on cybersecurity, and its specific aim was to achieve a high common level of cybersecurity across the Member States.
While it increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalization and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU.
The proposed expansion of the scope covered by NIS2, by effectively obliging more entities and sectors to take measures, would assist in increasing the level of cybersecurity in Europe in the longer term.
What are the penalties for non-compliance with NIS2?
The NIS2 Directive sets out specific penalties for non-compliance, these include non-monetary remedies, administrative fines, and criminal sanctions.
NIS2 also provides for heavy penalties for non-compliance. These include fines of €10 million or 2% of global turnover (whichever is higher) for essential entities and €7 million or 1.4% of global turnover (whichever is higher) for important entities.
Embrace a cyber-resilient future with Intwo Security Concierge
NIS2 isn’t just a directive; it’s a strategic force securing Europe’s digital future, setting a global example amid complex digital threats.
But are you prepared for the NIS2 Directive’s cybersecurity mandates? Take action with our Security Concierge services to secure your future, comply with NIS2, and partner with us for expert guidance and solutions. Act today to protect your business and embrace a cyber-resilient future.