FAQs about NIS2
NIS2 is an EU directive that replaces the existing NIS directive, which has been in force since 2013. NIS stands for Network and Information Security.
The directive applies to the whole of the EU and aims to ensure a high and uniform level of cyber and information security so that critical infrastructure and society-critical services are better equipped against breakdowns and cyber threats from outside.
The new NIS2 directive covers far more sectors than before, and it tightens the requirements for supervision while introducing the possibility of holding management personally liable for breaking the law.
NIS2 covers far more sectors than the original NIS Directive. All players within critical infrastructure are covered, including their suppliers. The directive specifies 17 segments: energy, transport, finance (banking), financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, outer space, mail, waste management, chemicals, food, digital providers, education, and research.
Smaller companies with fewer than 50 employees or with a turnover of less than 10 million euros are not covered, but there are several exceptions. Furthermore, it is up to the local authorities to specify who is covered.
The directive distinguishes between "essential" and "important" segments, and depending on which segment you belong to, different requirements apply.
The directive must first be implemented as legislation in the respective countries, and the companies concerned are then given a "grace period" to comply with the legislation. However, NIS2 must be implemented in all covered European companies, authorities, and organizations by 2024 at the latest. After that, it will be the responsibility of local authorities to enforce the directive, similar to the current situation with GDPR.
The requirements in NIS2 include, among other things:
- Policies for risk analysis and information system security
- Incident management (prevention, detection, and response to incidents)
- Business continuity and crisis management
- Supply chain security, including security-related aspects of relationships between entities and their suppliers or service providers, such as data storage and processing services or managed security services
- Security in connection with the acquisition, development, and maintenance of network and information systems, including the handling and disclosure of vulnerabilities
- Policies and procedures (testing and auditing) for assessing the effectiveness of measures to manage cybersecurity risks
- Use of cryptography and encryption.