NIS2

The EU's latest cybersecurity legislation aims to make Europe less subjectable to digital threats. With the introduction of new rules and expanding the scope of affected organisations, UK-based businesses that might use third parties or have customers based in the EU need to understand what it means.

The NIS2 directive builds upon the regulations established by its predecessor, the original NIS directive, which was accepted in 2016 and focused on essential service operators (e.g., health, transport, energy, and more) and digital service providers (such as online search engines, internet marketplaces, and cloud services). This marked the initial step towards a cohesive cybersecurity strategy across the European Union.

NIS2 will become applicable by September 2024; however, organisations may want to prepare well in advance.

What are the main changes that businesses with EU connections need to be aware of?

The rules of NIS2 apply not only to the members of the EU but also organisations outside the EU that are essential within its market
NIS2 directive now concerns a broader scope of business entities, including providers of public electronic communications networks or services, wastewater and waste management, manufacturers of certain critical products (such as pharmaceuticals, medical devices, and chemicals), postal and courier services and more
NIS2 measures concern numerous areas, including incident response, supply chain security, encryption and vulnerability disclosure, adequate risk analysis, testing and auditing of cybersecurity strategies, and crisis management planning
NIS2 establishes the European Cyber Crises Liaison Organisation Network to enable cooperation between national agencies and authorities in charge of cybersecurity

What are the specific new obligations introduced by the directive? And what does it mean for you? Get to know NIS2 with ESET's comprehensive guide.