Policies first

NIS2: Understanding the new EU cybersecurity directive

4 minutes reading

After implementing the Network and Information Security (NIS) directive in 2016, the European Union decided to take a stricter stance, expand the adapted decree, and involve more entities in its attempts to increase the level of cybersecurity in Europe. What to expect from NIS2? Here are some questions you might have – and the answers to them.

What was the purpose of the first NIS directive?

The NIS directive, adopted in 2016, was the first legislation on cybersecurity concerning all member states of the European Union. It mainly focused on organisations in two groups: operators of essential services (OESs), such as health, transport, energy, etc., and digital service providers (DSPs), including online search engines, internet marketplaces, and cloud services.

NIS required these organisations to comply with appropriate security measures and report any major cybersecurity incidents they experience, but the directive also enabled the states to consider their national circumstances.

The main goal of the directive was to improve the cybersecurity of European businesses by, among other, providing a national NIS authority, requiring companies to have a Computer Security Response Team (CSIRT), and enabling strategic communication in a Cooperation Group, which comprises EU member states, the European Commission, and the EU Agency for Cybersecurity (ENISA).


What is NIS2? 

The NIS2 directive expands its predecessor, includes a greater variety of organisations from different spheres, and, for the first time, considers the security of the ICT supply chain. Its creation was motivated by years of development in the area of European cybersecurity as well as recent cybersecurity challenges.

During the COVID-19 pandemic, cyberattacks increased by 220% across EU member states, highlighting that the original NIS directive may have been too limited in its scope. The goal of NIS2 is to strengthen the cybersecurity of individual European states, support better joint situational awareness, and enhance the EU’s ability to collectively face security issues by improving the information-sharing process between both the different sectors and individual countries.

NIS2 should minimise the differences between the many states and sectors and present a unified strategic plan regarding a great variety of cybersecurity threats. In comparison to NIS1, NIS2 introduces more severe supervisory measures for national authorities as well as stricter enforcement requirements.


Which businesses will be included in NIS2?

NIS2 will cover almost all medium and large commercial entities operating on the internal market of the European Union. That includes not only the member states of the EU but also organizations outside the EU that are essential within its market.

Which sectors were included in the NIS1 directive?

  • Healthcare
  • Digital infrastructure
  • Transport
  • Water supply
  • Digital service providers
  • Banking and financial market infrastructure
  • Energy

Which sectors were added by the NIS2 directive?

  • Providers of public electronic communications networks or services
  • Wastewater and waste management
  • Manufacturing of certain critical products (e.g., pharmaceuticals, medical devices, and chemicals)
  • Food
  • Digital services (e.g., social networking platforms and data centre services)
  • Space (e.g., aerospace)
  • Postal and courier services
  • Public administration 


Source: Cyberpilot, 2022


Which requirements does NIS2 introduce?

The directive is composed of seven points that should be followed by the applicable businesses and sectors. The requirements include incident response, supply chain security, encryption, vulnerability disclosure, and also a two-stage approach to incident reporting, according to which organisations must report an incident within 24 hours from its first occurrence and then submit a final report no later than one month after.

What may happen to companies that do not comply with the directive?

If companies neglect the requirements of NIS2, various enforcement measures may follow, including binding instructions, a recommendation of a security audit, and administrative fines up to €10 million or 2% of the company’s total worldwide annual turnover in the previous financial year.

When will the directive be implemented?

The final version of the directive is still being discussed by the relevant authorities, but its implementation is expected by 2024.

How should companies prepare?

Since the directive is yet to become applicable, there are no specific requirements you need to follow right now. Still, there are some steps you may take to make your company better prepared for the changes to come.

NIS2 will require organizations to assess their cybersecurity risks, which is something you may do in advance to get a better picture of both your strengths and weak spots. Since encryption will also be a part of the directive, you may examine how you protect and encrypt your data at the moment and see whether there are any improvements you want to make.