In the dynamic cyber security environment, the European Union (EU) has taken a significant step forward with the introduction of the Network and Information Security Directive 2, or NIS2. This directive, which replaced its predecessor the NIS, is intended to strengthen resilience and incident response capacities in EU member states.
Understanding the essence of the NIS2 directive
The NIS2 Directive arises in response to the growing challenges posed by the surge in cyber security threats, highlighted by events such as the COVID-19 pandemic and the Russia-Ukraine war. The NIS2 system, approved by the EU Council, builds on the foundations laid by the NIS Directive, which was originally sanctioned in 2016.
Key objectives and scope
The main objective of NIS2 is to set the basis for cybersecurity risk management measures and reporting obligations across sectors such as energy, transport, healthcare and digital infrastructure. NIS2 introduces a new 'size cap' rule, bringing medium and large entities - i.e. those with more than 50 employees or annual revenues of €10 million - within its scope.
The aim of the directive is to harmonize cyber security requirements and implementation measures between member states. It lays down minimum rules for the regulatory framework and facilitates effective cooperation between competent authorities. This collaborative approach is critical in addressing the dynamic and cross-border nature of cyber threats.
Incorporation of experience from the past
Building on the experience of the previous directive, NIS2 introduces significant improvements. One notable addition is the creation of the European Network of Cyber Crisis Liaison Organizations (EU-CyCLONE), which supports the coordinated management of large-scale cyber security incidents and crises.
In addition, NIS2 aligns with industry legislation such as the Digital Operational Resilience Act (DORA) for the financial sector and the Center for European Reform (CER) Critical Entity Resilience Act. This alignment ensures legal clarity and consistency between NIS2 and these acts, streamlining compliance efforts.
Benefits and challenges
Quoting from recent articles: The NIS2 cyber security standards, which must be implemented by EU member states by October 2024, are expected to affect more than 100,000 organisations. This underlines the broad meaning and reach of the Directive and highlights its potential impact on different sectors and entities.
Despite the expected benefits, there are challenges, particularly in terms of enforcement and adoption. Although the directive sets out clear rules, implementing practices such as Least Privilege Access enforcement and ongoing monitoring that underpin the zero-trust policies enshrined in NIS2 can be challenging for some entities.
Conclusion
The adoption of the NIS2 Directive in the EU represents a crucial moment in the field of cyber security in the region. By addressing the changing nature of cyber threats and incorporating lessons from the past, NIS2 lays the foundation for a more resilient and cooperative approach to cyber security in all member states. As organizations prepare to meet the directive's requirements, a shared commitment to a high common level of cybersecurity becomes paramount to protecting the European Union's digital foundations.
