The surge in digitization and the accompanying evolution of cybersecurity threats have posed significant challenges in recent years.
Originally, the EU introduced the NIS Directive in 2016 to regulate cybersecurity. Despite its accomplishments, the NIS Directive revealed certain limitations.
The digital transformation, accelerated by the COVID-19 crisis, has broadened the threat landscape, necessitating adaptive and innovative responses. To address these challenges, the NIS 2 Directive modernizes the existing legal framework, ensuring it keeps pace with the escalating digitization and evolving cybersecurity threats.
By expanding the cybersecurity rules to encompass new sectors and entities, the directive takes into account their degree of digitalization, interconnectedness, and their critical importance to the economy and society. This expansion fortifies the resilience and incident response capabilities of public and private entities, competent authorities, and the EU as a whole. The directive also introduces a clear size threshold rule, incorporating all medium and large-sized companies in selected sectors within its scope. Simultaneously, it grants Member States the discretion to identify smaller entities with a high security risk profile, ensuring their inclusion under the obligations of the new directive.
The primary objective of the NIS 2 Directive is to guarantee a high common level of cybersecurity across the EU by:
- Enhancing Member States’ Preparedness: This entails ensuring that Member States are adequately equipped, including the establishment of a Computer Security Incident Response Team (CSIRT) and a competent authority for national networks and information systems (NIS).
- Fostering Collaboration Among Member States: The directive establishes a cooperation group that supports and facilitates strategic collaboration and information exchange among Member States.
- Promoting a Security Culture Across All Sectors: This is crucial for an economy and society heavily reliant on Information and Communication Technology (ICT). Sectors such as energy, transport, water, banking, financial market infrastructure are particularly emphasized.
The NIS2 Directive introduces new requirements and obligations for organizations in four overarching areas:
- Risk Management
- Reporting Obligations
- Business Continuity
These industries are listed as essential and important entities
Size threshold: varies by sector, but generally 250 employees, annual turnover of € 50 million or balance sheet of € 43 million.
- Public Administration
- Water supply (drinking & wastewater)
- Digital Infrastructure
Size threshold: varies by sector, but generally 50 employees, annual turnover of € 10 million or balance sheet of € 10 million
- Postal Service
- Waste Management
- Manufactoring: e.g. medical devices and other equipment
- Digital Providers: e.g. Social netwoeks, search engines, online marketplaces
By October 2024
Member States are required to transpose the directive into their national legislation by 17 October 2024.
For more detailed information about the NIS 2 Directive, the industries it will impact, and the fines you risk if you don´t comply please check the European Commissions FAQ