NIS2 – Regulating for a Safer Future
NIS2 is the so-called EU-wide cybersecurity directive that came into force in October 2024. Compared to NIS1, NIS2 introduces significant changes, which will also impose stricter cybersecurity obligations on more organisations. Member States will be required to adopt new provisions containing these stricter control and enforcement measures to ensure compliance with the directive. NIS2 replaces the NIS1 directive, resulting in several significant differences compared to NIS1: NIS2 extends the scope to larger entities, such as chemical and medical device manufacturers, food manufacturers, and social network providers, which were previously not covered by NIS1. NIS2 replaces the distinction between “essential service operator” and “digital service provider” with “essential entities” and “critical entities” based on, inter alia, size and sector. While both have similar obligations, the key entities are subject to stricter enforcement and control measures. The sector supervisor must be accountable for control measures.
NIS2 imposes new cybersecurity obligations on “essential” and “critical” entities, including risk and supply chain management, cyber incident reporting, and information sharing. Compliance with these requirements will require those in scope to develop and implement new policies and procedures. NIS2 requires EU Member States to improve their national cybersecurity strategies and respond to the digital threats they face. It is important for organisations to keep abreast of future Member State initiatives in this area.
Enhanced security requirements
NIS2 will improve the security requirements of enterprises by introducing a risk management methodology and a minimum list of basic security elements. The directive also contains much more detailed provisions on incident reporting, including, for example, the content and timing of reports. According to the directive, notification must be made within 24 hours of the occurrence of the incident and must include a more detailed reporting process. NIS2 also requires addressing supply chain security. This also includes the risks posed by co-measurement relationships. NIS2 also emphasises management’s responsibility for organisational cybersecurity and places individual accountability on governing bodies such as corporate boards and management to ensure effective implementation of cybersecurity requirements. Organisations may be subject to various enforcement orders, and failure to comply may result in substantial fines.