News

On 16 January 2023, the European Union made a significant leap in strengthening cyber security by introducing the NIS-2 Directive, superseding its precursor, the original NIS Directive from 2016. This action underscores the EU's heightened endeavours to enhance cyber security provisions. NIS stands for "Network and Information Security," the directive's primary objective being to unify the level of cyber security across member states and boost the resilience of critical infrastructures against cyber threats. Member states have until 17 October 2024 to incorporate the NIS 2 into national legislation. Germany, for example, has been forward-thinking with a draft bill for its implementation – the NIS-2 Implementation and Cyber Security Augmentation Act – issued in July 2023.

What the NIS 2 Directive Requires

The NIS 2 Directive heightens the prerequisites for cyber and information security across organisations and establishes stricter rules for particular sectors. Businesses heads will confront more encompassing liability regulations. Impacted organisations and firms must redouble their efforts in numerous crucial areas: cyber risk management, monitoring and controlling cyber incidents, securing their supply chains, data encryption, access limitations, communicating with authorities, and guaranteeing business continuity.

Organisations Targeted by the NIS-2 Directive

The NIS-2 Directive casts its net wide, focusing on operators of services classified as critical infrastructure. These are divided into two categories: those of paramount importance and those deemed significant. The VIP list includes organisations in energy, water supply, IT and telecommunications, transportation, logistics, finance, healthcare, space, and public administration. On the significant front, we're discussing providers in postal services, waste management, food, chemicals, and research institutions. These sectors form the backbone of maintaining critical societal and economic functions.

The primary distinction between the most vital and essential organisations resides in the amount of supervision by regulatory bodies and the magnitude of possible penalties. Premier tier entities may confront sanctions up to ten million Euros or 2% of their annual revenue, whereas significant organizations could experience fines amounting to seven million Euros or 1.4% of their yearly turnover.

The regulation chiefly targets medium and large enterprises with a minimum of 50 employees and 10 million Euros in annual turnover. This considerably raises the quantity of firms in the United Kingdom affected by the NIS guidelines as compared to the preceding directive.

Main Points

Organisations affected should commence their preparations for the implementation of the NIS 2 directive without delay, so as to squarely meet its requirements. Beginning with a comprehensive analysis to identify vulnerabilities and threats is the first step. Collaborating with cybersecurity consultants can provide indispensable assistance in this undertaking.

The NIS-2 Directive represents a considerable landmark for the EU, laying the groundwork for improved and harmonised cyber resilience that will fundamentally alter cybersecurity throughout Europe.

You can download the NIS 2 Directive from EUR-Lex.