Novelties of NIS2

The Network and Information Security (NIS) Directive is the first EU-wide piece of cybersecurity legislation, whose primary  objective is to achieve a high common level of cybersecurity across Member States.

While it may have contributed to increased Member States’ cybersecurity capacities and cyber resilience, it has been proven difficult to implement, leading to fragmentation at different levels of the European Market. To respond to the growing threats related to digitisation and the increase in cyber-attacks of the critical sectors, the Commission submitted a proposal to change the NIS Directive, thereby tightening security requirements, addressing supply chain security, unifying reporting requirements and tightening supervisory measures as well as enhancing enforcement capacities and including harmonized sanctions across the EU.

NIS2 provisions define new critical sectors (such as aerospace, pharmaceuticals, post & courier service etc.) which were not or only partially comprised by NIS. In addition, NIS2 distinguishes between essential and important entities.

In practical terms, the picture of the critical sectors according to NIS2 is as follows:

On May 13, 2022, the Council and the European Parliament agreed on the NIS2 amendments. Before the agreement can be implemented, it still has to be approved by the European Parliament and the Council. Once approved, the NIS2 Directive will replace the current Network and Information Systems Security Directive (NIS).

Member States have 21 months from the entry into force of the Directive to incorporate its provisions into their national law.

The new provisions of the NIS2 will help to increase the level of cybersecurity in Europe in the long term, as it will oblige more institutions and sectors to take action in this matter.

The essential and important operators should take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems.

The required measures include:

  • Risk analysis and security policies for information systems
  • Processes for handling incidents (prevention, detection and response to incidents)
  • Provisions in connection with Business continuity and crisis management
  • Procedures related to supply chain security
  • Processes for security in acquisition, development and maintenance of network and information systems including management and disclosure of vulnerabilities;
  • Creation of the policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures
  •  Processes for using cryptography and encryption

Non-compliance by operators can be penalized in the form of fines – penalties of at least EUR 10 million, or if higher, 2% of worldwide turnover of the undertaking to which the essential or important entity belongs in the preceding financial year, whichever is higher. Moreover the management body could be subject of personal liability.

The implementation of the measures requires an intensive use of resources, which is why it is recommended to proceed with the implementation before the NIS2 provisions are adopted into national law.  The Certitude experts can support you both in the operational implementation of the NIS2 measures and in assessing whether the NIS2 provisions are properly considered in the processes and procedures of the organisation.