NIS2 improves on the NIS Directive with greater cybersecurity measures.
NIS2 improves on the NIS Directive with greater cybersecurity measures.

Navigating The Network and Information Security Directive Update (NIS2)

Emily Bogin |

NIS2 has improved on the NIS Directive to support a more robust cybersecurity program for the EU. More service providers must prepare for stricter regulations… are you ready?

The Network and Information Security Directive (NIS), initially introduced over eight years ago, has been a cornerstone in enhancing cybersecurity across the European Union (EU). Now, with the imminent arrival of NIS2 slated to go into effect in October this year, companies must prepare to navigate a new regulatory framework that builds upon its predecessor while introducing crucial updates and enhancements.

NIS and NIS2: What’s The Difference?

The NIS Directive, which was established in 2016 to modernise the legal framework around cyber risks and business preparedness, was modified and expanded in 2023 with NIS2.

The rapid digital transformation post-Covid brought with it a more complex landscape of cybersecurity threats. Given the increasing interdependence of systems, supply chains, and more, a threat that emerges in one sector has far reaching effects. In other words, the EU business ecosystem is more interconnected and interdependent than ever before, and members must take action against threats now to ensure they are prepared to face growing risks. As Member States uphold stricter cybersecurity standards to improve resilience, more businesses must prepare for the new order.

The NIS Directive has undoubtedly improved the resilience of information systems in the EU, but given the rapid changes to the digital economy, has also shown certain limitations.

According to the European Union website, the NIS Directive fell short with respect to:

  • Preparing EU businesses with resilience in the face of cyber security threats
  • Preparing Member States and sectors with resilience in the face of cyber security threats
  • Creating a common understanding among Member States of the main threats and challenges of cyber security
  • Lack of a joint response

NIS2 responds and improves upon the challenges of the preceding NIS Directive by expanding the number and kinds of entities that are subject to cyber security regulations, streamlining the categories of these entities, driving collaboration across departments, strengthening reporting requirements, and more.

Credential Stuffing

What Are the Key Components of NIS2?

Expansion of Scope:
NIS2 broadens the scope of previous rules by incorporating additional sectors based on their digitalization, interconnectedness, and importance to the economy and society. It introduces a clear size threshold, encompassing all medium- and large-sized companies within selected sectors. Member States, however, will have discretion to identify smaller entities with high security risk profiles for inclusion under the Directive.

Streamlined Taxonomy:
The new Directive both expands the number of entities that are subject to regulatory action and simplifies their categories by eliminating the distinction between operators of essential services and digital service providers. Depending on which category an entity falls under (essential or important), the Directive introduces new security and reporting requirements.

Strengthened Security and Reporting Requirements:
The regulation enhances and streamlines security and reporting requirements for companies, specifying incident reporting processes, content, and timelines. It aims at harmonising sanctions regimes across Member States to ensure consistency in penalties for non-compliance.

The key to gaining buy-in for your cyber risk management roadmap under tightening budgets and staffing challenges.

Consistency Through Collaboration:
NIS2 builds on existing relationships and regulating bodies to ensure consistency across Member States, with respect to penalties, and in coordination with other entities. The dedicated website reports, “Member States in cooperation with the Commission and ENISA, may carry out Union level coordinated security risk assessments of critical supply chains, building on the successful approach taken in the context of the Commission Recommendation on Cybersecurity of 5G networks.” NIS2 also elevates the role of the Cooperation Group in shaping strategic policy decisions, and builds communication and coordination through the European cyber crisis liaison organisation network.

New Governmental Framework:
NIS2 creates a basic framework to handle vulnerabilities across the EU. This includes, for example, an EU vulnerability database that will be operated and maintained by the EU agency for cybersecurity.

How Are Businesses Implicated in NIS2?

Companies looking ahead to NIS2 are taking note of the strengthened security and reporting requirements. Member States will expect businesses that fall subject to NIS2 to manage, prevent, and minimise the impacts of incidents on the recipients of their services. Generally, there will be more rigorous risk assessments and more granular expectations around reporting.

Article 21 of NIS2 states, “Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.”

Credential Stuffing

How Does NIS2 Manage Risk?

The directive anticipates that relevant entities will build and support:

  • policies on risk analysis and information system security;
  • incident handling;
  • business continuity, such as backup management and disaster recovery, and crisis management;
  • supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
  • security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
  • policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
  • basic cyber hygiene practices and cybersecurity training;
  • policies and procedures regarding the use of cryptography and, where appropriate, encryption;
  • human resources security, access control policies and asset management;
  • the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

Businesses are not waiting for October to get started. Instead, they are beginning their risk assessments, internal training, and documentation now.

Some steps that they are taking:

  • Conduct a Comprehensive Assessment
  • Understand Applicability and Classification
  • Review and Update Policies and Procedures
  • Enhance Security Measures
  • Establish Incident Response Capabilities
  • Facilitate Information Sharing and Cooperation
  • Stay Informed and Engage with Authorities
  • Invest in Training and Awareness
  • Monitor Regulatory Developments

Reach out to our team for more information on how your teams can leverage Mitratech’s solutions with the NIS2 framework and templates readily available to to accelerate your NIS2 compliance journey and utilise the powerful advantages of partnering with next generation GRC technology.

Credential Stuffing

Our focus? On your success.

Schedule a demo, or learn more about Mitratech’s products, services, and commitment.