NIS2: Directive with measures to ensure a high common level of cybersecurity across the European Union


The new NIS2 legislation will come into force in October 2024
NIS2: Directive with measures to ensure a high common level of cybersecurity across the European Union

Network and Information Security measures are subject to new legislation this year. The new NIS2 standards will come into force in October 2024, increasing the collective resilience of Europe's critical infrastructures by applying seven comprehensive security requirements. The new measures aim to increase their scope and comprehensiveness, reinforce principles considered essential to cyber resilience, and create a support group for strategically coordinating cybersecurity initiatives between member states.

A brief overview of the NIS Directive

The Network and Information Security (NIS) Directive is the first piece of European Union legislation to address the issue of cybersecurity. On July 6, 2016, the NIS Directive was adopted to strengthen the resilience of the European cybersecurity space at the level of entities considered relevant to member states and the European space and was only transposed into Portuguese law on August 13, 2018 (resulting in Law 46/2018), which blossomed into the Legal Framework for Cyberspace Security.

The National Cybersecurity Center (CNCS) is responsible for overseeing the proper implementation of the NIS Directive, however, the obligation to comply falls on the entities - with information security requirements and CNCS Instructions - and to notify - relevant security incidents.

The EU cybersecurity rules introduced in 2016 have been updated by the NIS2 Directive, which comes into effect from October 2024. This amendment aims to modernize the existing legal framework to keep pace with increased digitalization and the evolving cybersecurity threat landscape. 

The NIS2 Directive provides for legal measures to increase the overall level of cybersecurity in the EU by ensuring:
  • Preparedness of Member States by requiring them to be properly equipped. 
  • Cooperation between all member states, through the creation of a cooperation group to support and facilitate strategic cooperation and the exchange of information between member states.
  • A culture of security in all sectors that are vital to the economy and society - and that rely heavily on ICT - such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructures.

What are the main elements of the NIS2 Directive?

The NIS2 Directive aims to adapt to current needs by making them future-oriented.

To this end, the directive adds new sectors based on the degree of digitalization and interconnection and the crucial importance for the economy and society, introducing a clear size threshold rule. At the same time, it leaves some leeway for member states to identify smaller entities with a high-security risk profile that should also be covered by the obligations of the new directive.

The new directive also removes the distinction between operators of essential services and digital service providers. Entities will be classified based on their importance and divided into two categories: essential entities and important entities, which will be subject to a different supervisory regime.

The new directive strengthens and simplifies companies' security and information requirements, imposing a risk management approach, which provides for a minimum list of basic security elements that must be applied. In addition, NIS2 addresses the security of supply chains and supplier relationships, requiring companies to individually address cybersecurity risks in supply chains and supplier relationships. 

The directive introduces stricter supervisory measures for national authorities, and stricter enforcement requirements and aims to harmonize sanctions regimes across member states.

NIS2 also establishes a basic framework with the main actors responsible for the coordinated disclosure of newly discovered vulnerabilities across the EU and creates an EU vulnerability database for publicly known vulnerabilities in ICT products and services, which will be managed and maintained by the EU's cybersecurity agency (ENISA).

What sectors and types of entities will be covered by NIS2?

NIS2 covers entities in the following sectors:

Highly critical sectors: 
  • energy (electricity, district heating and cooling, oil, gas and hydrogen);
  • transport (air, rail, sea, and road); 
  • banking; 
  • financial market infrastructures; 
  • health, including the manufacture of pharmaceutical products and vaccines; 
  • drinking water; 
  • waste water; 
  • digital infrastructures; 
  • data center service providers; 
  • content distribution networks; 
  • trust service providers; 
  • providers of public electronic communications networks and publicly available electronic communications services); 
  • ICT service management, public administration, and space

Other critical sectors: 
  • postal and courier services; 
  • waste management; 
  • chemical products; 
  • food products; 
  • manufacture of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transportation equipment; 
  • digital providers (online marketplaces, online search engines, and social networking service platforms);
  • research organizations.

How will NIS2 strengthen and streamline entities' security requirements and incident reporting obligations?

The NIS2 Directive introduces a series of specific security requirements that organizations must meet. These requirements include:
  • The implementation of effective cybersecurity risk management.
  • The implementation of appropriate technical and organizational security measures.
  • Training employees in cybersecurity.

The directive also establishes a stricter regime for reporting incidents. Entities must notify the competent authorities of any cybersecurity incident that could have a significant impact on their operation. Small and medium-sized enterprises (SMEs) may find it difficult to comply with the requirements of the NIS2 Directive. It is therefore important that Member States provide support and guidance to these companies.

What are the penalties for non-compliance with the NIS2 directive?

Organizations that fail to comply with the NIS2 directive can be subject to significant fines.
  • Essential entities can be fined up to 10 million euros or 2% of their global turnover, whichever is higher.
  • Important entities can be fined up to 7 million euros or 1.4% of their global turnover, whichever is higher.
In addition to monetary penalties, non-compliant organizations may face non-financial measures. These can include orders to comply, binding instructions, notification and reporting requirements for affected parties, and implementing changes based on security audit findings.

The NIS2 Directive is a necessity because companies need to guarantee the privacy and protection of customer data and ensure business continuity. The good practices listed in the directive must be adopted across the board by all sectors and not just by organizations legally obliged to do so.

Got any questions? Get in touch with Hydra iT!