NIS2 Explained: 01 Introduction

In today’s increasingly digital world, cybersecurity has become a critical concern for governments, businesses, and individuals alike. The European Union (EU) has taken a significant step forward in addressing these challenges with the introduction of the NIS2 Directive (Directive (EU) 2022/2555). But what exactly is NIS2, and why does it matter? In this article, we’ll explore the basics of NIS2, its objectives, and its importance for cybersecurity across the EU and beyond.

What is NIS2

The NIS2 Directive is the revised version of the original Network and Information Systems (NIS) Directive, which was adopted in 2016. The NIS Directive was the first EU-wide legislation aimed at improving cybersecurity across member states. However, as cyber threats have evolved and become more sophisticated, the EU recognized the need for a more robust and comprehensive framework. This led to the development of NIS2, which was formally adopted in December 2022.

NIS2 builds on the foundation of the original NIS Directive but introduces stricter requirements, broader scope, and enhanced measures to ensure the resilience of critical infrastructure and essential services. It aims to create a high common level of cybersecurity across the EU, ensuring that member states and organizations are better prepared to prevent, detect, and respond to cyber incidents.

One of the most significant aspects of NIS2 is its enforcement mechanism, which includes substantial fines for non-compliance. The directive empowers EU member states to impose penalties on organizations that fail to meet its requirements.

Here’s an overview of the suggested fines:

For essential entities (e.g., energy, healthcare, transport), fine can be up to €10 million or 2% of the organization’s global annual turnover, whichever is higher.

For important entities (e.g., digital infrastructure, manufacturing), the maximum fine can be up to €7 million or 1.4% of the organization’s global annual turnover, whichever is higher.

Who Needs to Comply with NIS2?

NIS2 applies to a wide range of organizations, including:

Essential Entities: These are organizations in sectors that are critical for the economy and society, such as energy, healthcare, transport, and finance. Examples include power plants, hospitals, and banks.

Important Entities: These are organizations in sectors that are important for public safety or economic stability, such as digital infrastructure, manufacturing, and public administration. Examples include cloud service providers, postal services, and waste management companies.

Small and medium-sized enterprises (SMEs) are generally exempt from NIS2 unless they provide critical services or operate in high-risk sectors. However, SMEs that fall under the scope of NIS2 will benefit from simplified compliance measures.

What is Next?

As the NIS2 Directive is implemented across EU member states, organizations must take proactive steps to understand their obligations and prepare for compliance. In the next article in this series, we’ll dive deeper into the NIS2 Key Objectives and explore which sectors and entities are covered by the directive.