The NIS 2 directive is now published, and the countdown has begun for the deadline that organisations in the EU have to adopt the directive. On October 18th in 2024, the directive will come into force and by then everyone affected must have adapted their operations. Among other things, the updated directive applies to more sectors, has more additions, and involves an increased focus on encryption.
The reason for the development of NIS 2
The initial NIS Directive included a process to conduct regular review of itself. This has led to a proposal for a directive for countries in the EU about measures for high common level of cybersecurity – this is called NIS 2.
The proposal for NIS 2 contains aspects that meet deficiencies with the original NIS Directive. These deficiencies where found:
- Businesses in the EU do not have a sufficient level of cyber resilience (cyber resilience is the resistance to a possible cyberattack, but also the ability to keep capacity up during an attack, and how well you return to your original capacity after an attack)
- There is inconsistency between member states and sectors concerning cyber resilience
- There is not a sufficient understanding among member states about present threats and challenges, as well as not having a joint crisis response
What is new with NIS 2?
Based on these deficiencies, new additions have been made, creating the new proposal NIS 2. These are the most prominent new additions:
- Larger scale than NIS, more sectors are considered as essential services (list further down)
- Managers are held accountable for securing the business
- Incident reporting now has to be done within 24 h instead of 72 h
- Higher demands on security and reporting, where a minimum requirement list must be followed
- Security of supply chains and suppliers
- Stricter supervisory measures for national authorities
- Elimination of the distinction between operators of essential services and digital service providers
- Stricter supervisory measures for national authorities, firmer enforcement requirements
- Aims at harmonising sanctions regimes across member states, enabling that administrative fines should be issued. The fines will be up to 10 million EUR or 2 % of the entities’ total turnover worldwide. Read more about this in our blog post!
- Enhancement of the role of the Cooperation Group, and increasement of information sharing and cooperation between member state authorities
In NIS 2, there are also recommendations on using encryption and cryptography. Among other things, encryption and related security methods (authentication, integrity preservation and non-repudiation) can be included in efforts to protect networks and information systems. It is also mentioned that public electronic communication networks and available electronic communication services should use encryption and especially such encryption called end-to-end encryption.
More sectors and companies are affected by NIS 2
In the new proposal, new sectors have been added based on how vital they are for society and the economy. A wider range of companies within each sector will also be included. This as an action to respond to Europe’s increased exposure to cyber threats.
In the current NIS Directive, there are seven affected sectors: energy, transport, banking, financial market infrastructure, healthcare, water supply and digital infrastructure. These sectors will be joined by manufacture of pharmaceutical products including vaccines and of critical medical devices, public administration, and space.
Other important entities that will also be affected are postal and courier services, waste management, chemicals, food, manufacturing of other medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers.
Within each affected sector, all large and medium sized businesses within the EU will have to comply. Smaller businesses can also be affected if deemed necessary due to their profile.
The expansion of the scope covered by the new rules, by effectively obliging more entities and sectors to take cybersecurity risk management measures, will help increase the level of cybersecurity in Europe in the medium and longer term.
Do you want to know more about the NIS Directive and NIS 2? Read our know-how!