
The abbreviation NIS stands for Network and Information Systems. In 2013, the European Union (EU) introduced the first proposal for enhancing cyber defense throughout Europe, known as the NIS directive.
In 2016, the NIS directive was interpreted and adopted by member states with slight variations. Recognizing the necessity for greater specificity in order to meet Europe’s increasing demand for enhanced cybersecurity, the EU developed NIS2.
This whitepaper offers comprehensive details about the NIS2 directive, including its primary objectives, scope, and the requirements that companies must comply with.
To access further information, please fill out the form to receive our whitepaper titled “NIS2: Vision, key objectives, and tactical strategies for your organization.” The whitepaper will be sent as a PDF document to the email address you provide.
NIS2 is an EU directive that replaces the existing NIS directive, which has been in force since 2013. NIS stands for Network and Information Security.
The directive applies to the whole of the EU and aims to ensure a high and uniform level of cyber and information security so that critical infrastructure and society-critical services are better equipped against breakdowns and cyber threats from outside.
The new NIS2 directive covers far more sectors than before, and it tightens the requirements for supervision while introducing the possibility of holding management personally liable for breaking the law.
NIS2 covers far more sectors than the original NIS Directive. All players within critical infrastructure are covered, including their suppliers. The directive specifies 17 segments: energy, transport, finance (banking), financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, outer space, mail, waste management, chemicals, food, digital providers, education, and research.
Smaller companies with fewer than 50 employees or with a turnover of less than 10 million euros are not covered, but there are several exceptions. Furthermore, it is up to the local authorities to specify who is covered.
The directive distinguishes between "essential" and "important" segments, and depending on which segment you belong to, different requirements apply.
The directive must first be implemented as legislation in the respective countries, and the companies concerned are then given a "grace period" to comply with the legislation. However, NIS2 must be implemented in all covered European companies, authorities, and organizations by 2024 at the latest. After that, it will be the responsibility of local authorities to enforce the directive, similar to the current situation with GDPR.
The requirements in NIS2 include, among other things:
- Policies for risk analysis and information system security
- Incident management (prevention, detection, and response to incidents)
- Business continuity and crisis management
- Supply chain security, including security-related aspects of relationships between entities and their suppliers or service providers, such as data storage and processing services or managed security services
- Security in connection with the acquisition, development, and maintenance of network and information systems, including the handling and disclosure of vulnerabilities
- Policies and procedures (testing and auditing) for assessing the effectiveness of measures to manage cybersecurity risks
- Use of cryptography and encryption.