The NIS 2 Directive: strengthening cyber resilience across sectors in the EU

Strengthening EU-wide cybersecurity and resilience

The Network and Information Security Directive (NIS2) aims to boost cybersecurity capabilities for organizations operating in Europe. The directive outlines three main pillars that will support organizations and Member States to enhance cybersecurity risk management, improve incident reporting and facilitate cross-border communication on cyber threats and actions.

The European Court of Auditors published a brief in 2019 that addressed 10 challenges the EU faces when creating a cybersecurity policy for Europe. One of the challenges addressed gaps in EU law and its uneven transposition. NIS 2 more effectively addresses some of the gaps in the NIS 1 by issuing a more prescriptive version of the original directive.

NIS 2 improves on the previous NIS Directive by raising the bar for critical infrastructure protection in EU countries, expanding the number of sectors in scope, and defining fines for non-compliance.

The three pillars of the NIS 2 Directive

Cybersecurity Risk Management

Organizations are required to implement comprehensive risk management measures. This includes conducting regular risk assessments, implementing appropriate security policies, and ensuring that both technical and organizational measures are in place to manage and mitigate potential cybersecurity threats. The aim is to create a proactive approach to cybersecurity, where risks are identified and addressed before they can cause significant harm.

Incident Reporting

Timely and accurate reporting of cybersecurity incidents is crucial under NIS 2. Entities must report significant incidents to relevant authorities promptly, ensuring that responses can be coordinated effectively at both national and EU levels. This pillar emphasizes transparency and accountability, helping to mitigate the impact of cyber incidents and fostering a culture of vigilance and preparedness.

Information Sharing

The directive encourages enhanced information sharing between public and private sectors, as well as among different organizations within the same sector. By sharing threat intelligence, best practices, and lessons learned from past incidents, organizations can build a collective defense against cyber threats. This collaborative approach aims to improve overall resilience and create a more informed and connected cybersecurity community.

The power of a directive in the EU

There are several types of legislative acts in the EU, and the distinctions are important to understand how they are applied and enforced.

NIS 2 is an EU directive adopted by the European Parliament and Council in November 2022 and applies to organizations operating in Europe.

Within the EU, a ‘directive’ is a legislative act that “sets out a goal that EU countries must achieve.” This is done through the process of transposition, which is a “process of incorporating EU directives into the national laws of EU Member States”.

Unlike a regulation, a directive is not directly applicable in all Member States. Rather it requires each Member State to adopt the measures of the directive into national law by a given deadline. For NIS 2, the deadline to transpose the Directive is October 17, 2024.

The process of transposition is monitored by the European Commission. The Commission will confirm that each Member State has met the required deadline for implementing the new directive into national law and that the text of the new national legislation meets the objectives of the directive.

If a Member State does not meet the deadline for transposition, the Commission could impose a fine or penalty on the Member State.

At the same time as governments across Europe are drawing up new legislation, companies operating in Europe in sectors that fall under the ‘essential’ or ‘important’ categories under the NIS 2 Directive are preparing to meet compliance requirements based on the text of the Directive.