The NIS2 (Directive (EU) 2022/2555) is a significant piece of legislation from the European Union aimed at enhancing cybersecurity across member states. It builds on the original NIS Directive, expanding its scope and introducing stricter compliance requirements for various sectors and entities.
Overview of NIS2 Regulation
NIS2, or the Directive on Security of Network and Information Systems, aims to bolster the cybersecurity framework within the EU by setting higher standards for network and information systems security. The directive addresses vulnerabilities exposed by increasing cyber threats and aims to ensure that essential services remain resilient against such risks. The deadline for EU countries to transpose NIS2 into national law is October 17, 2024, with varying levels of progress among member states *1 *5
.
Affected Countries and Sectors
As of now, several EU countries have already adopted national transposition legislation for NIS2, including:
- Belgium
- Croatia
- Greece
- Hungary
- Latvia
- Lithuania
Other member states are in various stages of implementation, with some expected to miss the deadline
Affected Sectors
NIS2 significantly broadens the range of sectors covered compared to its predecessor. The directive categorizes entities into two main groups: Essential Entities (EE) and Important Entities (IE).Essential Entities typically include:
- Energy
- Transport
- Finance
- Public Administration
- Health
- Water Supply (drinking & wastewater)
- Digital Infrastructure (e.g., cloud computing)
Important Entities typically include:
- Postal Services
- Waste Management
- Chemicals
- Research
- Food Industry
- Manufacturing (including medical devices)
- Digital Providers (e.g., social networks, online marketplaces)
This expansion means that approximately 300,000 institutions will be subject to NIS2 regulations, a significant increase from the 20,000 previously covered under NIS1 *1 *2 *4 .
Penalties and Consequences for Board Members
NIS2 introduces stringent penalties for non-compliance, which vary based on the classification of the entity:
- For Essential Entities: Fines can reach up to €10 million or 2% of total worldwide annual turnover from the previous financial year, whichever is higher.
- For Important Entities: Fines can reach up to €7 million or 1.4% of total worldwide annual turnover from the previous financial year, whichever is higher *3 *4 .
- Moreover, the directive imposes direct obligations on management bodies regarding compliance. This means that board members may face personal accountability if their organization fails to adhere to NIS2 requirements. They are expected to ensure that appropriate cybersecurity measures are in place and that any significant incidents are reported promptly (up to 600% of standarised compensation)
Conclusion
The NIS2 Directive represents a crucial step towards enhancing cybersecurity resilience across Europe. By expanding the scope of affected entities and sectors and introducing strict compliance measures along with significant penalties, it aims to create a safer digital environment within the EU. Organizations must act swiftly to comply with these new regulations as the deadline approaches.