The NIS2 Directive: Everything to Know About NIS2 Legislation in the European Union

Written by Ariën van Wetten, Marketing Director EMEA at Datto, Inc.

The increasing rise of cybersecurity incidents led the European Union (EU) to take a hard look at industries and suppliers that, if compromised, could potentially be detrimental. Industries such as energy, transport, and finance, were preeminent concerns when the leaders of the EU met in 2016 to create cybersecurity legislation for all critical suppliers across the EU. With the goal of improving the supplier’s cybersecurity resilience, the initial NIS initiative was born.

When was the NIS Directive introduced?

In 2016, the NIS Directive was introduced by the EU to strengthen the existing legal framework to keep up with increased digitization and an evolving cybersecurity threat landscape. NIS did this by expanding the scope of cybersecurity rules to new sectors and entities, improving resilience and incident response capacities of public and private entities, and set common rules around cybersecurity to boost the overall level of cybersecurity across the EU.

The NIS2 Directive

The initial NIS Directive left many EU member states interpreting the directive differently, leaving gaps in security and challenging the original intent of the directive. NIS2 is an update to the original NIS EU cybersecurity directive that resolves these gaps by mandating what cybersecurity practices are important and what essential suppliers must have in place by 2024, as well as how breaches must be reported to the European authorities.

What is the purpose of the NIS2 Directive?

The COVID-19 crisis and the rapid digital transformation that stemmed from it, along with growing threats due to digitalization and interconnectedness, forced the EU to revisit the original NIS Directive, analyse the impact, and identify the deficiencies created by this new digital era.

What the commission found was the following deficiencies from the previous NIS Directive:

  • Insufficient cyber resilience levels of businesses operating in the EU
  • inconsistent resilience across member states and sectors
  • insufficient common understanding of the main threats and challenges among EU
  • lack of joint crisis response

The NIS2 Directive expands the baseline for cybersecurity risk management measures and reporting obligations across the EU in initial sectors including energy and transportation. The new NIS2 includes health and digital infrastructure. It expands rules for a regulatory framework and lays down mechanisms for effective cooperation across the EU. It also updates the list of sectors and activities subject to cybersecurity obligations and provides remedies and sanctions to ensure enforcement.

When does NIS2 go into effect?

This past November the Council adopted the NIS2 Directive and published the new directive December 2022 officially replacing and repealing the NIS Directive (Directive 2016/1148/EC). Member states must incorporate the provisions of the NIS2 Directive into national law in 21 months from the entry into force of the directive.

Who does NIS2 apply to?

NIS2 applies to all companies, suppliers, and organizations (referred to as “entities”) that deliver essential or important services for the European economy and society. If you fit within one of the categories listed below, then NIS2 applies to you.

NIS2 will likely not apply to entities with less than 50 employees or 10 million in annual revenue unless they have a critical role in the EU’s economy or society.

NIS2 holds management accountable for the following:

  • ensuring that cybersecurity risk assessments are carried out;
  • implementing technical and organizational security measures;
  • staying on top of cybersecurity through training and risk management programs, and ultimately
  • managing risks appropriately

Failure to demonstrate that risk and cybersecurity practices that have been addressed could result in authorities being able to rely on a robust set of enforcement and investigation powers. These could include the ability to conduct raids, perform security audits and request data, information and documents (amongst others).

Further, member states must provide authorities the ability to impose considerable fines:

  • For essential entities, of at least up to €10 million or 2% of the worldwide annual turnover.
  • For important entities, of at least up to €7 million or 1.4% of the worldwide annual turnover.