An improved NIS directive, definitions
On January 16th, 2023, the European Union made a significant step towards strengthening cybersecurity across its member states with the approval of the NIS2 directive. This directive represents an expansion of the existing NIS (Network and Information Systems) directive and sets new requirements for organizations in both the public and private sectors. The directive aims to improve cybersecurity measures and reporting for organizations considered to be critical infrastructure and digital service providers. With cybersecurity threats becoming increasingly sophisticated and frequent, the NIS2 directive is a crucial step towards protecting the EU's digital economy and ensuring the safety of its citizens' data.
What is the NIS2?
The NIS2 is a forthcoming EU policy that all member states must adhere to by 2024. Its primary objective is to safeguard critical infrastructure and organizations within the EU from cyber threats while establishing a uniform level of security across the bloc. To achieve this, the NIS2 prioritizes essential service providers, which are fundamental to the proper functioning of society, making them prime targets for cybercriminals seeking to create chaos. The directive mandates heightened security standards, more stringent reporting requirements, and stricter enforcement measures that apply to a broader range of organizations than its predecessor, the original NIS directive.
Moreover, more organisation types that provide essential services to private individuals have been included. Here is the new list both for essential entities and important entities:
Digital service providers
Financial market infrastructure
Health (pharmaceuticals, R&D, critical medical devices)
Providers of public electronic communications networks or services
Food Producers, processors, and distributors
Manufacturing of critical products (medical devices, computers, electronics, motor vehicles)
Digital providers (social networking platforms, search engines, online marketplaces)
Postal and courier services
How does NIS2 work?
Technical details of NIS2's architecture and components
The NIS2 directive mandates EU member states to establish a legal framework for the prevention, response, and recovery of cyber incidents affecting essential service providers. It sets out obligations for digital service providers and essential service providers (ESPs) to ensure the security of network and information systems that they operate. It obligates member states to appoint competent authorities responsible for overseeing the application of the directive.
Technical details of NIS2's architecture and components
The NIS2 directive's architecture includes a European Cybersecurity Competence Center (ECCC) and a European Cybersecurity Industrial, Technology, and Research Competence Center (EICTRCC). The ECCC is responsible for developing cybersecurity expertise and improving coordination among member states. The EICTRCC, on the other hand, fosters research and innovation in the field of cybersecurity.
The directive requires ESPs to implement robust security measures, such as risk management and incident response plans, to ensure the continuity of their services. Also the new directive is not only applicable to organisations but their suppliers and third parties need to be included in their ISMS. The NIS2 architecture requires organizations to share information with relevant authorities and other impacted organizations in the event of a cyber incident. It also mandates member states to develop cybersecurity certification schemes for ICT products, services, and processes to improve confidence and trust in digital technologies.
Key features and benefits of using NIS2
The NIS2 directive provides significant benefits to organizations and individuals within the EU. It provides clear guidelines and standards for organizations to follow, making it easier to comply with cybersecurity regulations. It ensures that essential services are protected, reducing the likelihood of widespread disruption due to cyber incidents.
Moreover, the directive fosters cooperation and information-sharing among organizations, enhancing their ability to respond to cybersecurity incidents. It also helps improve the overall level of cybersecurity across the EU, making it a safer place for individuals and organizations to operate.
Benefits for businesses
The NIS2 directive helps businesses enhance their cybersecurity posture, protect their reputation, and reduce the likelihood of financial losses. Compliance with NIS2 standards enables organizations to demonstrate their commitment to cybersecurity, potentially increasing customer trust and loyalty. NIS2 also promotes the development of cybersecurity technologies and practices, fostering innovation and growth in the digital sector.
Benefits for consumers
The NIS2 directive aims to improve the security of essential services that consumers rely on daily. With increased security measures in place, consumers can enjoy greater confidence and trust in the services they use. In the event of a cyber incident, the directive requires organizations to inform their customers promptly, allowing them to take the necessary steps to protect their personal information.
Benefits for the EU as a whole
The NIS2 directive helps ensure the EU's digital economy remains resilient to cyber threats, promoting continued economic growth and development. It also promotes the EU's global competitiveness by establishing common cybersecurity standards that are respected worldwide. Finally, the directive helps to safeguard individual privacy and data protection rights, contributing to a more secure and trustworthy digital environment.
NIS2 in practice
Challenges and limitations of NIS2
The NIS2 directive has already shown promising results in practice, particularly in helping organizations address vulnerabilities in their information security management systems (ISMS). For instance, several organizations in the energy sector have improved their cybersecurity measures following the directive's implementation. Some energy suppliers have invested heavily in enhancing its security capabilities to meet NIS2 requirements, including conducting regular risk analysis and risk management activities to identify and address vulnerabilities in its ISMS. In the financial sector, the directive has led to the development of new technologies to secure online payments and prevent fraud, reducing the risk of cyber threats to financial systems.
Common criticisms of NIS2
Despite its many benefits, the NIS2 directive has faced criticisms from some quarters. One of the main criticisms is that it places an undue burden on organizations, particularly small and medium-sized enterprises (SMEs), to implement effective risk management and information security practices in their ISMS. Critics argue that SMEs may not have the resources or expertise to comply with NIS2 standards.
To address these concerns, the EU has developed a certification scheme to help SMEs demonstrate their compliance with NIS2 requirements, which includes effective risk management and information security practices in their ISMS. The scheme provides a clear and straightforward process for SMEs to follow, reducing the burden of compliance.
Another criticism of NIS2 is that it may lead to overregulation and stifle innovation in information security. Critics argue that the directive may limit the development of new technologies and deter startups from entering the market. To mitigate this risk, the EU is working to create a supportive environment for innovation in the cybersecurity sector, including providing funding and support for startups and SMEs.
Potential risks and vulnerabilities
Despite its many benefits, the NIS2 directive is not without its risks and vulnerabilities, particularly in implementing effective risk analysis and management activities in organizations' ISMS. One potential vulnerability is the risk of insider threats, where employees with malicious intent pose a risk to an organization's information security. To address this risk, the directive includes provisions for employee training and awareness, as well as the need to monitor access to sensitive information in an organization's ISMS.
Another potential vulnerability is the risk of supply chain attacks, where third-party vendors pose a risk to an organization's information security. Organizations may be at risk if they rely on third-party vendors for essential services, such as cloud providers. To mitigate this risk, the directive requires organizations to assess the security of their vendors and ensure they meet NIS2 standards in their own ISMS.