The Network and Information Security Directive (NIS2) is a new set of cybersecurity regulations adopted by the European Union (EU) that aims to improve the overall level of cybersecurity in the region. The directive will be applicable to a wide range of sectors deemed critical to the EU economy, including energy, transport, banking, healthcare, and digital infrastructure. It establishes minimum requirements for the protection of networks and information systems and sets out mechanisms for effective cooperation among relevant authorities in each member state.
The NIS2 directive is a response to the growing threat of cyber attacks and other malicious activity that can compromise the security of network and information systems in the European Union. It aims to improve the overall level of cybersecurity in the EU by requiring member states to adopt a national strategy on the security of network and information systems, designating national Computer Security Incident Response Teams (CSIRTs) and other competent authorities, and establishing mechanisms for cooperation between member states.
Certain sectors are nowadays vital to the economy and society and rely heavily on information and communication technology (ICT), such as energy, transport, banking, and healthcare. Public and private entities in these sectors, known as operators of essential services (OES), are required to undertake cybersecurity risk assessments and implement appropriate security measures. Digital service providers (DSPs), such as search engines, cloud computing services, datacenters and online marketplaces, are also subject to security and notification requirements.
The NIS2 directive reflects the EU’s recognition of the need to address the increasing sophistication and complexity of cybersecurity threats, as well as the interconnected nature of modern society and the economy. It is a response to the growing awareness of the risks posed by supply chain compromise, advanced disinformation campaigns, the loss of privacy through digital surveillance, and the exploitation of legacy systems and human error.
By establishing a common framework for addressing these threats and promoting cooperation between member states, the NIS2 directive aims to enhance the resilience and incident response capabilities of the EU and its member states, and contribute to the overall functioning of the internal market. It is a key step in the EU’s efforts to protect its citizens, businesses, and critical infrastructure from cyber attacks and other malicious activity.
Overview of the NIS2 directive
The Network and Information Systems (NIS) Directive is a piece of European Union (EU) legislation that aims to boost cybersecurity in the EU and contribute to the overall functioning of the internal market. The NIS Directive is based on three main pillars:
- Establishing national strategies and incident response teams,
- Creating a network for cooperation and information exchange among Member States,
- Ensuring cybersecurity measures are in place in certain critical sectors that rely heavily on information and communication technology (ICT), such as energy, transport, and healthcare.
One of the main changes introduced by NIS2 is the extension of its scope to cover a wider range of sectors and activities. While the original NIS Directive only applied to operators of essential services, NIS2 introduces a size-cap rule as a general rule for identifying regulated entities. This means that all medium-sized and large entities operating within the sectors covered by the directive will fall within its scope, unless they are specifically excluded. In addition, NIS2 clarifies that the directive will not apply to entities carrying out activities in areas such as defence or national security, public security, and law enforcement, or to judiciary, parliaments, and central banks.
Under the original NIS Directive, Member States were responsible for designating entities as “operators of essential services” (OES) and imposing cybersecurity obligations on them. The revised NIS Directive expands the scope of the legislation and clarifies which organizations are required to comply with the Directive’s provisions. Under NIS2, all medium and large organizations in designated sectors will be considered “essential” or “important” entities. This is the “NIS2 size-cap rule“. They will be subject to cybersecurity risk assessments and the implementation of appropriate and proportionate security measures. NIS2 also eliminates the distinction between OES and digital service providers. The new regulation requires entities to be classified based on their importance and subjected to different supervisory regimes.
NIS2 also introduces stricter incident-reporting obligations and updates the list of sectors and activities subject to cybersecurity obligations. It provides for remedies and sanctions to ensure enforcement, and it formally establishes the European Cyber Crises Liaison Organisation Network (EU-CyCLONe) to support the coordinated management of large-scale cybersecurity incidents and crises. The directive has also been aligned with sector-specific legislation, such as the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence.
How NIS2 responds to cybersecurity threats and trends?
The European Union Agency for Cybersecurity (ENISA) has identified and ranked the top 10 emerging cybersecurity threats that are likely to emerge by 2030. These threats include supply chain compromise of software dependencies, advanced disinformation campaigns, the rise of digital surveillance authoritarianism and the loss of privacy, human error and exploited legacy systems within cyber-physical ecosystems, targeted attacks enhanced by smart device data, a lack of analysis and control of space-based infrastructure and objects, the rise of advanced hybrid threats, a skills shortage, cross-border ICT service providers as a single point of failure, and artificial intelligence abuse.
These emerging threats have the potential to impact the EU and its citizens in various ways. For example:
- Supply chain compromise of software dependencies could lead to the compromise of critical infrastructure,
- Advanced disinformation campaigns could cause social and political instability,
- The rise of digital surveillance authoritarianism could result in a loss of privacy and freedoms,
The NIS2 directive aims to address these emerging threats by establishing a high common level of cybersecurity across the EU and improving the resilience and incident response capacities of both the public and private sectors. The directive sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement. The directive will also formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents and crises.
What does it tells us about the EU’s direction on cybersecurity?
The NIS2 directive is an updated version of the Network and Information Systems (NIS) directive, which was first adopted by the European Union (EU) in 2016.
One of the main changes introduced by the NIS2 directive is the expansion of the scope of the legislation to include medium-sized and large entities operating within the sectors covered by the directive (the “size-cap rule”). This is a significant change from the previous NIS directive, which allowed member states to determine which entities qualified as operators of essential services. The NIS2 directive also includes additional provisions to ensure proportionality and clarify criticality criteria for national authorities to determine further entities that should be covered by the directive.
In terms of cybersecurity threats and trends, the NIS2 directive is intended to address a range of emerging threats, including supply chain compromise of software dependencies, advanced disinformation campaigns, and the rise of digital surveillance and loss of privacy. It also aims to address the issue of human error and the exploitation of legacy systems within cyber-physical ecosystems, as well as targeted attacks enhanced by smart device data. The NIS2 directive also addresses the potential risks associated with the lack of analysis and control of space-based infrastructure and objects, and the rise of advanced hybrid threats.
In terms of the EU’s priorities and concerns in terms of cybersecurity, the NIS2 directive reflects the EU’s commitment to protecting its citizens and critical infrastructure from cyber threats. It aims to ensure that the EU has a high common level of cybersecurity across all member states, and to improve the resilience and incident response capacities of both the public and private sector. The NIS2 directive also seeks to harmonize cybersecurity requirements and implementation of cybersecurity measures in different member states, in order to reduce fragmentation and ensure a consistent approach to cybersecurity across the EU. Overall, the NIS2 directive is an important step towards improving the EU’s cybersecurity posture and ensuring the protection of its citizens and critical infrastructure from cyber threats.
Challenges and Limitation of NIS2
One of the main challenges in implementing the NIS2 directive is the need for consistency in implementation across all member states. In order to ensure a high level of cybersecurity throughout the EU, it is important that all member states adopt and enforce the provisions of the directive in a uniform manner. This can be difficult due to differences in national laws and regulatory frameworks, as well as the diverse range of sectors and critical infrastructure covered by the directive.
Another challenge is the need to ensure that the NIS2 directive is flexible enough to adapt to evolving cybersecurity threats and trends. With the rapid pace of technological change and the increasing sophistication of cyber attacks, it is important that the directive is able to respond to new threats as they emerge.
To address these challenges, the EU has established mechanisms for cooperation and coordination among member states, as well as with relevant stakeholders such as industry and academia. This includes the establishment of the European Cybersecurity Industrial, Technology and Research Competence Centre (, the European Cybersecurity Center, ECCC) to support research and innovation in cybersecurity. The EU has also established a Cybersecurity Act, which aims to provide a comprehensive framework for cybersecurity in the EU and includes provisions for a certification framework and the establishment of a European cybersecurity certification body.
Despite these efforts, it is important to recognize that there will always be limitations to the effectiveness of any legislative framework in addressing cybersecurity threats. Cybersecurity is a complex and dynamic field, and it will be important for the EU to continue to adapt and evolve its approach to addressing these challenges in the years ahead.
Conclusion
The NIS2 Directive, which replaces the previous Network and Information Systems Directive (NIS), aims to establish a high level of cybersecurity across the European Union by setting minimum requirements for regulatory frameworks and mechanisms for cooperation among relevant authorities in each member state.
The revised directive broadens the scope of the rules to apply to medium and large-sized entities operating within sectors or providing services covered by the directive, such as energy, transport, health, and digital infrastructure.
While the NIS2 Directive is intended to improve the resilience and incident response capacities of both the public and private sector, it also imposes additional obligations and potential fines for non-compliance, which may have an economic impact on businesses and industries within the EU. It remains to be seen how the Directive will be implemented and enforced, and how it will ultimately affect the economic landscape of the EU.
