The new European Directive, NIS 2, came into force on 17th January 2023, broadening the scope of application of the previous NIS and adopting a comprehensive approach based on the concept of “multi-risk.” This directive requires public and private entities to align their organizations and processes to new security obligations. It covers several critical sectors, including digital infrastructure, energy, transport, banks, financial market infrastructures, drinking water, healthcare, wastewater, management of ICT services, public administration, space, and more.
The main objective of the NIS 2 Directive is to impose on essential and important subjects the adoption of adequate and proportionate technical, operational and organizational measures in cyber risk management, i.e. in the management of IT systems and networks used in the course of business activities and provision of services, in order to prevent and minimize the impact of any cyber incidents. The aim of this directive is to ensure a safer and more secure digital environment across Europe.
The previous NIS Directive had played a crucial role in increasing the awareness of Member States, which include 27 countries of the European Union, on the issue of cybersecurity. However, the implementation phase of this legislation faced several challenges due to the unpredictable arrival of the Covid-19 pandemic and the shortcomings of the European legislator in harmonizing European standards with national legal systems. Hence, NIS 2 has broadened the scope of application of the NIS Directive, including new categories of subjects that have become essential in the context of the correct functioning of the European market.
NIS 2 identifies two new categories of actors: the “essential subjects” and the “important subjects.” The main criterion for identifying these subjects is their size. NIS 2 applies to all those public or private subjects included in these two categories, which provide their services or carry out their activities within the Union and are considered medium-sized enterprises or exceed the ceilings for medium-sized enterprises.
In addition to broadening the scope of application, the NIS 2 Directive adopts a comprehensive approach based on the concept of “multi-risk”. This means that public and private entities must assess and manage not only cybersecurity risks but also other risks that could impact the availability, integrity, and confidentiality of network and information systems. These risks include natural disasters, terrorist attacks, and other malicious acts.
Under the new directive, public and private entities must implement risk management measures based on the size, nature, complexity, and criticality of their operations. They must also adopt technical and organizational measures to ensure a high level of security, such as incident response plans, security testing, and regular security assessments.
Another important aspect of the NIS 2 Directive is the introduction of reporting obligations. Public and private entities must report significant incidents to the competent authorities within strict time frames. They must also cooperate with other entities and share information on incidents to prevent the spread of threats and improve incident response.
To comply with the NIS 2 Directive, CISOs and CIOs must ensure that their organizations have adequate resources, expertise, and budget to manage cybersecurity and other risks effectively. They must also establish clear lines of responsibility and communication within their organizations and with external partners and authorities.
Organizations should take the following steps to comply with NIS 2:
Complying with NIS 2 is not only a legal requirement but also a best practice for ensuring the security and resilience of network and information systems.