What is the NIS2 Directive?
The Network and Information Security Directive (NIS2) is a European Union directive that regulates the security of digital networks and information systems across the EU and provides a common framework for security measures to be implemented. It is part of the European Digital Single Market strategy and is applicable to all EU member states. It applies to operators of essential services, digital service providers, and digital infrastructure providers.
- Analyze risks and develop information systems security policies;
- Develop business continuity and crisis management plans;
- Develop plans for incident detection, prevention, and remediation;
- Focus on supply chain security;
- Use encryption to secure data at rest and in transit.
Does the NIS2 Affect Your Organization?
It is important to assess whether your organization is within the scope of the NIS2 and what your obligations may be. The NIS2 may affect your organization if you are a digital service provider, digital infrastructure provider, or an operator of essential services. NIS2 applies to any organization with more than 50 employees, whose annual turnover exceeds €10 million, and belongs to one of the following industries:
- Electronic communications
- Digital services
- Waste management
- Critical product manufacturing (i.e. medicine)
- Postal services
- Public administration
Why Was NIS2 Developed and The Difference Between NIS1 and NIS2
NIS2 was developed in response to the increasing number of cybersecurity threats that exist in today’s digital world. A common framework was thus required to ensure the security, availability, and continuity of essential services and to protect the security and privacy of digital networks and information systems.
NIS1 was a recommendation from the European Commission and was not legally binding. NIS2, on the other hand, is a Directive that all member states must adhere to. NIS2 also has the scope to include digital service providers (DSPs) and digital infrastructure providers (DIPs), whereas NIS1 was solely focused on operators of essential services (OESs).
What’s Changing in NIS2?
NIS2 introduces a number of new requirements, such as the requirement for organizations to create and maintain a security policy, to carry out periodic risk assessments, to report security incidents, and to develop continuity plans for essential services. It also introduces specific requirements for digital service providers and digital infrastructure providers. In addition to expanding the list of covered industries and eliminating the distinction between DSPs and OESs, NIS2 introduces the following changes:
- The introduction of a European Cyber Crises Liaison Organization Network (EU-CyCLONe), which is designed to support the coordinated management of large-scale cybersecurity incidents.
- Better threat intelligence and coordination relating to new vulnerabilities discovered throughout the Union.
- A minimum list of basic security elements that must be applied, including more detailed information about how incidents are reported.
- Stricter supervisory measures and enforcement requirements, and better harmonization of sanctioning across Member States.
- Coordinated risk assessments of critical supply chains conducted by Member States – in cooperation with the Commission and ENISA.
Adoption Timeline for NIS2 And Next Steps
The NIS2 directive was officially adopted by the European Parliament and the European Council on November 15, 2022, although Member States have until 17 October 2024 to adopt and publish the measures necessary to comply with the NIS 2 Directive. Organizations are legally required to apply those measures from 18 October 2024 onwards. Organizations should begin to assess the impact of the NIS2 on their organization and plan their compliance strategy. It is important to ensure that adequate security measures are in place to meet the requirements of the NIS2, sooner rather than later.
If you’d like to see how the Lepide Data Security Platform can help you prepare for NIS2, schedule a demo with one of our engineers or start your free trial today.