Decoding NIS2: A Deep Dive into the EU’s New Cybersecurity Framework

The digital landscape is evolving rapidly, and with it, the threats to cybersecurity are becoming more sophisticated. To address these challenges, the European Union has introduced the NIS2 Directive, a significant update to the original Network and Information Security (NIS) Directive. This newsletter article aims to provide a comprehensive guide to understanding NIS2 and its implications for organisations across the EU and the UK.

What is NIS2?

The NIS2 Directive, which came into force in January 2023, is designed to enhance the cybersecurity framework across the EU by addressing the shortcomings of the original NIS Directive. The primary goal of NIS2 is to achieve a high common level of cybersecurity across Member States, ensuring that both public and private sectors are better equipped to handle cyber threats.

Key Differences Between NIS and NIS2

While the original NIS Directive focused on establishing a common level of security for network and information systems, NIS2 introduces several key updates:

1. Expanded Scope: NIS2 covers a broader range of sectors and entities, including both essential and important entities. Essential entities are subject to more intensive supervision, while important entities face a lighter form of supervision.
2. Enhanced Security Requirements: NIS2 imposes stricter security requirements, including the need for advanced cybersecurity knowledge among senior leadership and continuous development of cybersecurity skills across the workforce.
3. Streamlined Reporting Obligations: The directive aims to streamline reporting obligations, making it easier for organisations to comply with the new rules.
4. Stricter Enforcement and Sanctions: NIS2 introduces more stringent supervisory measures and harmonised sanctions across the EU to ensure compliance.

Statistics and Impact

The implementation of NIS2 is expected to have a significant impact on the cybersecurity landscape in the EU. According to the European Parliamentary Research Service, global ransomware damage costs were forecasted to reach $20 billion by 2021, a staggering 57 times more than the amount in 2015. Additionally, companies were predicted to suffer a ransomware attack every 11 seconds by 2021, up from every 40 seconds in 2016. These statistics highlight the urgent need for robust cybersecurity measures, which NIS2 aims to address.

Implications for the UK

Although the UK is no longer a member of the EU, the NIS2 Directive will still have implications for UK-based organisations that operate within the EU. The UK’s Network & Information Systems (NIS) Regulations, which came into force in May 2018, were designed to improve baseline security among operators of essential services (OES) in critical infrastructure sectors. With the introduction of NIS2, UK organisations operating in the EU will need to comply with the new requirements, including:

• Wider Scope: NIS2 covers organisations in new sectors such as telecoms, social media, wastewater, and food, and will apply to all medium and large-sized organisations in these sectors.
• Heavier Fines: Regulators will be able to levy penalties for serious non-compliance of up to 2% of annual turnover, or €10 million (￡8.6 million), whichever is higher.
• Baseline Security Requirements: NIS2 introduces a minimum set of measures to which all organisations must adhere, including risk management, incident management, business continuity, and supply chain security.
• Director Accountability: Senior management personnel will be held responsible for the maturity of their security function and must receive cybersecurity training and conduct regular risk assessments.

Actions for Organisations

Organisations across the EU and the UK must take proactive steps to comply with the new NIS2 Directive. Here are some key actions to consider:

• Assess Your Cybersecurity Posture: Conduct a thorough assessment of your current cybersecurity measures and identify areas that need improvement to meet NIS2 requirements.
• Enhance Cybersecurity Skills: Invest in training and development programmes to ensure that your workforce possesses the necessary cybersecurity skills and knowledge.
• Implement Robust Security Measures: Strengthen your security infrastructure by implementing advanced security technologies and practices.
• Streamline Reporting Processes: Develop efficient reporting processes to comply with the streamlined reporting obligations under NIS2.
• Stay Informed: Keep up-to-date with the latest developments and guidance related to NIS2 to ensure ongoing compliance.

Conclusion

The NIS2 Directive represents a significant step forward in enhancing cybersecurity across the EU. By understanding the key differences between NIS and NIS2 and taking proactive measures to comply with the new requirements, organisations can better protect themselves against ever-evolving cyber threats. Stay informed, stay prepared, and stay secure.

For more information on the NIS2 Directive and how it impacts your organisation, visit the European Parliament’s Think Tank or the SANS Institute’s NIS2 hub.