B R A I N B I T S

, , , ,

NIS2 in Europe

The new EU NIS2 directive aims to improve digital resilience across the European Union. This directive will come into force in 2024. Or so it is planned.

What changes can we expect, or is there little new under the sun?

History of NIS2
The NIS directive from 2016 was the first EU law on network and information security. NIS stands for Network & Information Systems.

The vital sectors covered by the first NIS directive of 2016 included energy, transport, banking and finance, healthcare, and digital service providers.

The NIS1 directive of 2016 was implemented in the Netherlands through the Network and Information Systems Security Act (Wbni).

The NIS2 directive came into effect on December 28, 2020, and the European member states have until the end of 2024 to incorporate the NIS2 directive into national legislation. Member states were given 18 months to implement it into their national laws.

Why was the directive updated?

  • The COVID-19 pandemic led to an increase in cyberattacks and new cybersecurity risks.
  • Harmonization of cybersecurity measures is necessary due to the growing dependence on network and information systems across different sectors.
  • Increasing the resilience of network and information systems is important to prevent cyberattacks and other disruptions, and to protect society and the economy.

Essential and Important Sectors
The first NIS directive applied to essential sectors, covering a relatively limited set of organizations. The NIS2 directive will apply to many more organizations, distinguishing between essential businesses and important businesses.

The NCSC (National Cyber Security Center) website clearly outlines the criteria for falling under NIS2. Generally, organizations whose service outages would have a highly disruptive impact on the economy and society are classified as essential. Essential entities are subject to a more intensive oversight regime, which includes both proactive and reactive monitoring of compliance with the obligations.

Organizations designated as important entities will face lighter oversight, which occurs only reactively, for example, when there are indications of non-compliance with the law or when an incident has occurred.

Scope of Cybersecurity
Organizations falling under NIS2 must meet several requirements, with a significantly expanded scope of measures compared to the first NIS directive.

This scope includes, among other things:

  • Risk analysis and security of information systems
  • Cybersecurity training for employees
  • Evaluation and updating of cybersecurity policies
  • Supply chain security
  • Security measures for the development and maintenance of network and information systems
  • Access and asset management policies
  • Implementation of encryption and cryptography
  • Multifactor authentication where necessary
  • Vulnerability management
  • Monitoring and incident response
  • Business continuity plans

Organizations that fail to comply with the NIS2 directive may face fines and other sanctions imposed by authorities. Directorial liability will be extended to include cybersecurity.

This summary covers the main points regarding the NIS2 directive and its implications for organizations within the EU.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.