NIS 2 is the latest version of the EU cybersecurity legislation known as the NIS Directive. The updated version focuses on cybersecurity risk management and cyberattack reporting requirements and is intended to correct the current situation of under-reporting.
NIS 2 applies only to organizations where disruption to operations would significantly affect the broader society. These are divided into essential (vital) organizations such as energy, transportation, and health, and important entities who carry out critical but not urgent and immediate operations such as cloud computing, data center services, and food production.
NIS 2 poses requirements for implementation of cyber-risk measurement tools to ensure a level of security proportionate to the risk posed and for reporting significant cyber incidents and cooperating with national authorities.
NIS 2 also presents new governance mechanisms at both the national and the EU levels, including per-sector cybersecurity authorities and national cybersecurity coordination centers (NCCCs). In addition, the directive calls for setting up multiple Computer Security Incident Response Teams (CSIRTs) to bolster cross-border response to incidents.
NIS 2 imposes stricter measures for non-compliance, on-site inspections, audits, temporary suspensions, and restrictions imposed on C-level executives.
The main differences between the original NIS the new NIS 2 directive are:
· NIS 2 broadens sector coverage, adding the category of “important” (but not “essential”) sectors that are subject to lighter security and reporting obligations.
· NIS 2 sets more detailed and uniform security requirements for all entities covered by the directive, focusing on risk management, incident handling, supply-chain security, Zero Trust, and other areas that have become prominent cybersecurity concepts since the introduction of the original directive.
· Establishment of a single point of contact at national level for receiving notifications of incidents.
· Stricter compliance enforcement and uniform fines for non-compliance (up to €10 million or 2% of global annual turnover).
One of the key elements in NIS 2 is the obligation to report cyber incidents that have a significant impact on the continuity of services or on the security of network and information systems. Compared to the original NIS Directive, NIS 2 establishes more clear and consistent criteria and thresholds for these aspects.
For example, essential and important entities are required to report incidents that have an impact on more than 100,000 users, caused a loss of more than EUR 1 million, or a disruption of more than 24 hours.
Coordination mechanisms include a network of Computer Security Incident Response Teams (CSIRTs), as well as the new the European Cyber Crises Liaison Organisation Network (CyCLONe), comprising representatives of Member States’ competent authorities and CSIRTs as well as representatives of EU institutions and agencies such as ENISA (the European Union Agency for Cybersecurity), CERT-EU (the Computer Emergency Response Team for EU institutions), and Europol.
(Source: ENISA)
NIS 2 includes a preparedness checklist to help organizations comply with the directive. (This list is provided for informative purposes only. It does not ensure compliance.)
NIS 2 was adopted by the EU Parliament in November 2022 and entered into force on January 16, 2023. Member States have until October 2024 to adopt its language into each nation’s legal structures.
