New proposed directive - NIS 2
There is a proposal for a new directive which originates from the NIS directive – this new proposed directive is called NIS 2. NIS 2 has a number of additions and will affect more sectors and companies than the original NIS directive.
What is the NIS Directive?
The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy.
Read more about the original NIS directive here!
Proposal for a new directive - NIS 2
The initial NIS directive included a process to conduct regular review of itself. This has led to a proposal for a directive for countries in the EU about measures for high common level of cybersecurity – this is called NIS 2. Once the new proposal is agreed upon, member states in the EU have 18 months to apply the new NIS 2 Directive.
The proposal for NIS 2 contains aspects that meet deficiencies with the original NIS Directive. These deficiencies where found:
- Business in the EU do not have a sufficient level of cyber resilience (cyber resilience is the resistance to a possible cyberattack, but also the ability to keep capacity up during an attack, and how well you return to your original capacity after an attack)
- There is inconsistency between member states and sectors concerning cyber resilience
- There is not a sufficient understanding among member states about present threats and challenges, as well as not having a joint crisis response
What is new with NIS 2?
Based on these deficiencies, new additions have been made, creating the new proposal NIS 2. These are the most prominent new additions:
- New sectors (list further down)
- Higher demands on security and reporting, where a minimum requirement list must be followed
- Security of supply chains and suppliers
- Stricter supervisory measures for national authorities
- Elimination of the distinction between operators of essential services and digital service providers
- Stricter supervisory measures for national authorities, firmer enforcement requirements
- Aims at harmonising sanctions regimes across member states, enabling that administrative fines should be issued
- Enhancement of the role of the Cooperation Group, and increasement of information sharing and cooperation between member state authorities
More sectors and companies are affected by NIS 2
In the new proposal, new sectors have been added based on how vital they are for society and the economy. A wider range of companies within each sector will also be included.
In the current NIS Directive, there are seven affected sectors: energy, transport, banking, financial market infrastructure, healthcare, water supply and digital infrastructure. These sectors will be joined by manufacture of pharmaceutical products including vaccines and of critical medical devices, public administration, and space.
Other important entities that will also be affected are postal and courier services, waste management, chemicals, food, manufacturing of other medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers.
Within each affected sector, all large and medium sized businesses within the EU will have to comply. Smaller businesses can also be affected if deemed necessary due to their profile.
Will you be affected by NIS 2?
When you start working with security protection, the first step is to carry out a security protection analysis. Identifying the most important information assets of the business also identifies the measures that need to be taken in order of priority.
To learn more about how to protect your most important information, read more about information security!
Do not hesitate to contact us at Advenica!