NIS 2

Its the EU’s latest cybersecurity policy that aims to improve the collective cybersecurity of Member States. It repeals and replaces its predecessor, the NIS Directive, by introducing stricter requirements for security and more stringent reporting obligations. Essentially, NIS2 aims to protect critical organizations and infrastructure within the EU from cyber threats in order to achieve a high level of common security across the EU.

Obligated entities must implement technical, operational, and organizational measures to manage the security risks of networks and information systems.

To that end, this Directive lays down the following:

– Obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity (single points of contact) and computer security incident response teams (CSIRTs).

– Cybersecurity risk-management measures and reporting obligations for critical entities.

– Rules and obligations on cybersecurity information sharing.

– Supervisory and enforcement obligations on Member States.

What is new?

The NIS 2 Directive introduces important modifications compared to its predecessor:

Expansion of the obligated sectors: NIS 2 expands the range of sectors and entities that must meet its requirements. The number of critical companies increases to 11 sectors and the number of important companies to seven sectors, making a total of eighteen NIS 2 sectors.

Minimum requirements: Establish mandatory and sanctionable cybersecurity measures for incident reporting and the necessary risk management. EU Member States can set stricter requirements for their region.

Incident reporting obligations: The directive requires the reporting of incidents within 24 hours of detection to their respective National Competent Authorities and in many cases to their national Computer Security Incident Response Teams (CSIRTs).

Greater supervision and sanctions: A new level of reliability. Active monitoring of the obligated companies and significant sanctions for those who do not comply with the regulations are intended, with fines of at least 1.4% and up to 2% of the company’s total turnover, and management can be held accountable.

Supply chain included: Requires a risk assessment of the security practices of key affiliated third-party providers; this includes, for example, providers of managed security services.

Government support: Entities without adequate security staffing can ask for help in case of a major incident.

Cooperation:Supervision and cooperation between national authorities and institutions in the EU will be intensified and European (EU) jurisdiction will be strengthened.