NIS2: Get familiar with the EU's new cyber security directive (part 1/3)
In this blog, you'll learn about the background and the reasons behind the EU's new Network and Information Security 2 (NIS2) Directive. This is the first part of a three-part blog series. You'll get the best overall picture about the directive and how your organization should react to it, by reading all the three parts.
Original NIS Directive and its replacement
The original Network and Information Security (NIS) Directive, which was published back in 2016, was a significant milestone for the cyber security of the European Union. It became the first EU-wide legislation dedicated to tackling the threats to cyber security. The primary goal was to ensure a consistent and high level of cyber security across relevant industries in all Member States.
While the directive did succeed in enhancing cyber security, it encountered also challenges during its implementation process. These obstacles ultimately led to variations in the level of cyber security readiness among the Member States. It became clear that establishing a unified and resilient cyber security landscape throughout the EU required additional efforts.
In response to the challenges in original NIS Directive and the increased cyber threats brought by digitalisation and cybercrime growth, the European Commission is replacing the NIS Directive. The new proposal, the NIS2 Directive, aims to tackle the challenges of the original NIS by investing more in the following aspects:
- clearer and more comprehensive security requirements for related organizations
- addressing also the security of supply chains
- simplifying reporting guidelines
- introducing more extensive enforcement methods
What sectors did the original version cover?
The NIS Directive applies to two different categories of organisations: operators of essential services (OESs) and digital service providers (DSPs).
OES refers to organisations that provide services defined critical for the functioning of the economy and society as a whole. This includes critical infrastructure sectors such as water, transportation, and energy, as well as services like healthcare and digital infrastructure.
DSPs are organisations that offer specific types of digital services, mostly online search engines, online marketplaces, and cloud computing services.
To qualify as an DSP, an organisation must provide one or more of these services and fall within the category of a medium-sized enterprise.
There is a general exemption for small businesses in the digital services sector. If an organisation has less than 50 employees and a turnover below €10 million, they are not considered an DSP and therefore, NIS2 does not apply to them. However, if the organisation is a part of a bigger group, they must evaluate the staff and turnover of the entire group.
We will cover NIS2 scope and security requirements in more detail in this series' next posts.
Why did the NIS Directive fail to establish a high level of cyber security?
The implementation of the directive varied among the Member States. Each Member State applied the Directive differently which led to inconsistencies between the Member States' cyber security levels. The lack of consistency weakened the the impact of the directive.
Level of readiness
Different Member States had varying levels of readiness for the Directive. Some Member States already had a consistent and strong cyber security measures and others had a lot of work left. The differences in the starting point resulted to differences in achieving a high level of cyber security.
Member States had to decide which organisations would be defined as OESs. This proved to be a difficult process due to the complexity of sectors. This furthermore increased the differences in the level of cyber security between Member States.
The Directive gave Member States too much control over the requirements of cyber security incident reporting.
One of the first reactions to the NIS Directive was that it was not covering all sectors providing key services to economy and society.
How will NIS2 fix the inconsistencies?
Even though mostly based on the original NIS Directive, some big changes will come with the NIS2. The NIS2 Directive introduces a set of enhanced security requirements. The flexibility to customise compliance with these requirements was removed, because the original NIS allowed vulnerabilities due to the excessive flexibility. NIS2 ensures that there is no room for such vulnerabilities, as it clearly outlines the rules that everyone must follow.
NIS2 requires e.g. the following security themes to be well organized in related organizations:
- Information security risk management
- Incident detection, management and reporting
- Cyber security training
- Business continuity planning / crisis management
- Supply chain security
- Data encryption
Read more about these themes and the scope of NIS2 in the second part: NIS2 scope and main security requirements
Questions and feedback
Do you have any further questions, would need another help article or would like to give some feedback? Please contact our team via firstname.lastname@example.org or the chat box in the right lower corner.