In the age of digitalisation, new cyber security threats are constantly emerging. In the ongoing fight to safeguard businesses, individuals and governments from the ever evolving nature of these threats, from protecting sensitive data to consumer confidence and national security, the importance of legislation cannot be overstated. 

Lawmakers can be notoriously slow to respond to the complexity and rapid changes of these threats, but now there’s a new piece of regulation on the block; the European Union’s updated cyber security directive, known as NIS2, will take effect on 18th October 2024 with the specific aim to achieve a high common level of cybersecurity across the EU. 

What is the NIS2 Directive? 

Also known as the Network and Information Security Directive, NIS2 is a landmark piece of legislation aimed at improving cyber security and protecting critical infrastructure across member states. Building upon the previous NIS Directive (NIS-D), it is set to address the shortcomings of its predecessor and expand its scope in order to enhance security requirements, address the security of supply chains, streamline reporting obligations, and introduce stronger supervisory measures. By obliging more entities and sectors to take measures, the hope is that this new legislation will help increase the level of cybersecurity in Europe in the long run. 

The European Parliament’s NIS2 proposal sets itself three general objectives: 

• Increase the level of cyber-resilience of businesses operating in the EU by putting in place rules that ensure all public and private entities across the internal market are required to take adequate cybersecurity measures. 

• Reduce inconsistencies across the internal market in the sectors already covered by the previous NIS-D directive by outlining key elements that all companies must implement as part of the measures they take - including incident response and reporting, supply chain security, encryption, and vulnerability disclosure. 

• Improve the level of joint situational awareness and the collective capability of the member states to prepare and respond to cyber threats, for example by taking measures to increase the level of trust between authorities and setting procedures in the event of a large-scale cyber security crisis. 

As a directive, the purpose of NIS2 is to specify the minimum level of cybersecurity to be achieved, and it is up to each EU country to define their own cybersecurity laws based on it. 18th of October 2024, when the directive comes into effect, marks the deadline for setting these laws and regulations. 

Why is the NIS2 necessary? 

The original NIS-D came into effect in 2016. In the light of recent years’ unprecedented and exponential digitalisation, and the new cyber security risks it has brought forward, there is dire need to improve the resilience of network and information systems in the EU. The European Parliament itself admits that while the NIS-D “increased the Member States' cyber security capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market.” With its stricter rules and expanded scope, NIS2 impacts a wider range of industries, and both private and public sector organisations will have to determine its impact on their current cyber security capabilities. 

What does this mean in practice? 

Whereas the NIS-D covered banking and financial markets, drinking water and digital infrastructure and the energy, transport, and healthcare sectors, the NIS2 expands its scope to include public administration, waste water and waste management, postal and courier services, food production, processing and distribution, digital services and digital service providers, electronic communications networks and services, the space and research sectors, the manufacture, production, and distribution of chemicals, and the manufacture of certain other critical products.  

Compliance with the NIS2 directive is an absolute necessity for businesses operating within the EU in any of these sectors, if they have more than 50 employees and a revenue of more than 10 million euros. Entities which meet these three criteria are classified by importance and divided into “essential entities” and “important entities”, which will be subjected to different regulatory supervision and enforcement measures. The NIS2 directive also mandates the timely reporting of incidents to national authorities, and gives these authorities stronger enforcement powers to punish organisations that are not in compliance. 

International legislation is a step forward in providing a comprehensive framework for protecting digital assets, ensuring privacy, and maintaining the integrity of information systems. It should not only be viewed as a legal requirement, but a crucial aspect of any company’s success - and that’s why ​​you should be prepared.