Sign inTry Strike for free
Try Strike for free

NIS 2: A new directive to strengthen cybersecurity measures in the EU

María Eugenia Yavarone

4 min read

NIS 2: A new directive to strengthen cybersecurity measures in the EU

Network and information systems became a central feature of everyday life with the speedy digital transformation and interconnectedness of society, including in cross-border exchanges. That development has led to an expansion of the cyber threat landscape, bringing about new challenges, which require adapted, coordinated, and innovative responses in all of the European Union (“EU”)”.

The number, magnitude, sophistication, frequency, and impact of incidents are increasing and can impede the pursuit of economic activities in the internal market, generate a financial loss, undermine user confidence, and cause major damage to the EU’s economy and society. To put this in numbers, more than 50% of the companies of The Netherlands, France, and Spain suffered a cyberattack in 2022.

The Directive 2016/1148 (NIS) which came into force in 2016 aiming to build cybersecurity capabilities across the EU, brought significant progress in the landscape of cybersecurity. However, it has proven not to be sufficient to effectively address current and emerging challenges in this field; besides, not being sufficient to bring harmonization throughout the members of the EU.

As a result, on January 16, 2023, the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union came into force. The Directive - also known as “NIS 2” - replaces Directive 2016/1148.

Brief explanation on NIS 2

This new Directive builds upon the NIS and introduces some changes to overcome the latter. Its main goal is to modernize the existing legal framework and keep up with changes that appear due to digitalization and the increase of cyberattacks in the region.

Blog_NIS 2 - 2.jpg

The NIS 2 seeks to achieve a high common level of cybersecurity across the UE, with a view to improving the functioning of the internal market. In doing so, the NIS 2 is expanding its scope of rules to new sectors, it is improving the responsiveness of incidents done by both public and private entities and the EU, among other measures. This Directive frames:

a) Obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity (single points of contact), and computer security incident response teams (CSIRTs);

b) Cybersecurity risk-management measures and reporting obligations for entities of a type referred to in Annex I or II as well as for entities identified as critical entities under Directive (EU) 2022/2557;

c) Rules and obligations on cybersecurity information sharing;

d) Supervisory and enforcement obligations on Member States.

What does it change?

There are important changes between the past NIS and the NIS2. These are key aspects that will give EU member states’ more obligations to enhance their cybersecurity, and also establish new categories among other changes.

  1. SCOPE: New categories of entities are included in the scope of the NIS2 such as wastewater management, food, space, manufacturers of chemicals and medical devices, food processors, social network providers, etc.

  2. CATEGORIES: The NIS differentiated between “operators of essential services” and “digital services providers”. With the NIS 2, the classification is between “essential entities” and “important entities”

  3. ORGANIZATION NETWORK: NIS 2 establishes The European Cyber Crises Liaison Organization Network. This was proposed to support the coordinated management of cybersecurity on large-scale incidents at the EU.

  4. ESSENTIAL ENTITIES: There are new cybersecurity obligations imposed on “essential” entities when it comes to risk management, reporting of cyberattacks, and information sharing.

  5. COVERED ENTITIES: With the previous NIS, covered entities were fined for being non-compliant. With NIS 2 there are new obligations for management bodies (for example, company boards).

  6. MEMBER STATES: There are new requirements for the national cybersecurity strategies of the EU member states, which will have to be enhanced.

  7. PROCESSES: Before, companies had to go through a detailed evaluation done by the EU before being designated as a subject matter of the regulation. In NIS 2, each company shall analyze itself and define if they are an essential company to comply with.

Following steps

  • By October 17th, 2024, member states of the EU must adopt and publish the measures necessary to comply with the NIS 2 which shall apply from October 18, 2024.

  • By July 17th, 2024, and every 18 months thereafter, EU-CyCLONe shall submit to the European Parliament and to the Council a report assessing its work.

  • By October 17th, 2024, the Commission shall adopt implementing acts laying down the technical and methodological requirements of the measures with regard to the following providers: DNS service, TLD name registries, cloud computing services, data center services, content delivery network, managed services, managed security services, online marketplaces, of online search engines and of social networking services platforms, and trust service providers.

  • By January 17th, 2025, the Cooperation Group will establish the methodology and organizational aspects of peer reviews, which will be carried out by cybersecurity experts designated by at least two member states. They will do this with the assistance of the Commission and ENISA and will have the main goal of learning from shared experiences, strengthening mutual trust, and achieving a high common level of cybersecurity. Also, this will be relevant for enhancing the member states’ cybersecurity capabilities and policies that are necessary to implement this Directive.

  • By April 17th, 2025 the member states will establish a list of essential and important entities providing domain name registration services. They will review and update that list if necessary on a regular basis, and at least for the next two years.

  • By April 17th, 2025, the authorities will have to notify the Commission and the Cooperation Group about the number of essential entities for each sector. This will have to be done every two years thereafter.

  • By October 17th, 2027, the Commission will have to review the functioning of the Directive and report it to the European Parliament. This will have to be done every 36 months thereafter.

Key aspects to take into account for your company

There is no doubt that NIS 2 is part of the adaptation process the EU Members are doing due to the rise of constant cyberattacks in the region. However, it is important to note that these major changes will, most likely, impact your business.

  • Since the scope of NIS 2 has expanded application, it is essential to investigate if your company may fall into one of its categories and therefore, what are your company's obligations.

  • This may lead to an increase in your cybersecurity costs, because they may vary in order to comply with this regulation. However, it is important to note that this is not an expense, but rather an investment to have rigorous cybersecurity standards and avoid potential cyberattacks which can lead to impossible to calculate losses.

  • For those companies that are already obliged by this regulation, it is important to review what new obligations apply, especially the ones related to cybersecurity risk management and incident reporting.

  • Managed services are also a key aspect of NIS 2. Since its providers are connected to networks from all kinds of companies, protecting them will also be relevantin order to avoid cyberattacks.

*María Eugenia Yavarone is Strike's Chief Legal and Strategy Officer

Subscribe to our newsletter and get our latest features and exclusive news.