NIS 2, short for “Network and Information Security Directive 2,” is a legislative framework established by the European Union (EU) to enhance cybersecurity measures across member states. It builds upon the original NIS Directive (NIS 1) to address emerging cyber threats and challenges in the digital landscape.

Read More about NIS 2

NIS 1 was adopted on 6 July 2016 but will be repealed by 18 October 2024 with the entry into force of NIS 2. Find out more about about it below.

What Does NIS 2 Hope to Achieve?

This framework provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:

  1. Member states’ preparedness: NIS 2 requires member states to establish a national computer security incident response team (CSIRT) and a national network and information systems (NIS) authority.
  2. Cooperation among all member states: NIS 2 requires establishing a Cooperation Group that will support and facilitate strategic cooperation and information exchange among member states.
  3. A culture of security across sectors: NIS 2 believes such a culture is vital for the economy and society, which rely heavily on information and communication technology (ICT). That is especially true for the energy, transport, water, and banking sectors; financial market infrastructure; and healthcare and digital infrastructure.

How Does NIS2 Differ from NIS1?

We identified critical improvements made to NIS 2 from NIS 1 below.

  • Scope: NIS 2 broadens the scope of sectors covered under its provisions, now including additional critical sectors, such as digital infrastructure, online marketplaces, and search engines.
  • Incident reporting: The framework mandates stricter incident reporting requirements for digital service providers (DSPs), focusing on promptly notifying relevant authorities of any significant cybersecurity incident.
  • Risk management: NIS 2 emphasizes risk management and prevention strategies, encouraging organizations to adopt proactive measures to mitigate cyber risks effectively.
  • Cooperation and coordination: It promotes enhanced cooperation and coordination among EU member states, fostering information sharing and collaboration to combat cyber threats more effectively.
  • Enforcement and penalties: NIS 2 introduces more robust enforcement mechanisms and penalties for noncompliance to incentivize organizations to prioritize cybersecurity measures.
NIS 1 versus NIS 2

Network and Information Security Directive 2, adopted on 14 December 2022, will be turned into national legislation by 18 October 2024. It represents a significant step toward bolstering cybersecurity resilience and fostering a safer digital environment within the EU.

Who Should Comply with NIS 2?

The following entities are required to comply with this framework:

  • Essential subjects
  • Important subjects

These entities include operators of essential services (OESs) and DSPs, along with highly critical sectors, such as healthcare services, postal services, food and machinery and equipment, and other digital services. Small and medium-sized enterprises (SMEs) may be exempted from the scope of application, with some exceptions depending on the criticality of their service, such as electronic communication or trust services.

The member states should define by 17 April 2025 a list of essential and important players that will be required to provide the necessary information.

What Are the Provisions of NIS 2?

NIS2 substantially strengthens the obligations already present in NIS 1, particularly:

Security measures

NIS 2 provides a minimum list of security measures that organizations must implement. Organizations are mandated to adopt a multirisk approach when implementing appropriate and proportionate technical, operational, and organizational security measures to:

  • Manage security risks to networks and information systems that they use for their operations or for providing services
  • Prevent or minimize the impact of incidents on service recipients

Incident reporting

Organizations must report significant incidents to the authorities and CSIRT using a multistage scheme with predefined time frames. They must send an early warning within 24 hours of knowing about the incident. A notification with a detailed incident analysis should follow within 72 hours. Where appropriate, notifications for significant incidents should be sent without undue delay.

What Is the Penalty for Noncompliance?

Under this framework, the EU member states are required to establish penalties for noncompliance. The specific penalties may vary between member states, as each country is responsible for implementing and enforcing the directive within its own legal framework.

However, NIS 2 mandates that penalties for noncompliance should be effective, proportionate, and dissuasive. That means penalties should be sufficient to incentivize organizations to adhere to the cybersecurity requirements outlined in the directive. The severity of penalties may depend on factors, such as the nature and severity of a breach, its impact on essential services or digital infrastructure, and the level of negligence or disregard for cybersecurity measures demonstrated by the organization.

Penalties for noncompliance with NIS 2 may include fines, sanctions, or other administrative measures imposed by competent national authorities. These penalties aim to encourage organizations to prioritize cybersecurity and invest in measures to protect against cyber threats, thereby enhancing the overall resilience of critical infrastructure and digital services within the EU.

Key Takeaways