Posted in Legislation

The European Union’s NIS2 Directive

0 Likes 29 Views
Jurisdiction: European Union / Economic AreaStatus: Adopted. European countries have until 17 October 2024 to impose through national law.

History and what it’s about

The NIS2 Directive (Directive (EU) 2022/2555) was adopted on December 14, 2022, as a revision to the original NIS Directive (Directive on Security of Network and Information Systems) that was established in 2016. NIS2 aims to strengthen the resilience of critical infrastructure and digital services across the European Union by addressing increasing cybersecurity threats and ensuring a unified approach to cybersecurity standards across member states.

In other words, the NIS2 Directive imposes obligations on organizations operating in key sectors, including energy, transport, healthcare, and financial markets, as well as digital infrastructure providers, to enhance their cybersecurity practices. It extends the scope of the original NIS Directive by increasing regulatory requirements and introducing more stringent enforcement mechanisms to ensure compliance.

Who has a role to play in NIS2 compliance?

The NIS2 Directive outlines several key roles for organizations and authorities responsible for ensuring the cybersecurity of critical infrastructure and essential services.

Obligation holders

  • Operators of essential services: Organizations in critical sectors like energy, transport, healthcare, water, and financial markets that provide essential services to society.
  • Digital service providers: Companies providing digital infrastructure and online services, including cloud computing, data centers, and online marketplaces.
  • Supply chain partners: Companies in the supply chain that support essential service operators and digital service providers.

Supervisory bodies

  • National cybersecurity authorities: Each EU member state is required to appoint or designate authorities responsible for monitoring compliance with the NIS2 Directive.
  • European Union Agency for Cybersecurity (ENISA): ENISA supports the implementation of NIS2 by providing guidance and coordination for member states.

Rights holders

  • EU residents and organizations: Beneficiaries of improved cybersecurity measures that ensure the continuity of critical services and digital infrastructure.

What are the most important obligations?

The NIS2 Directive imposes several key obligations aimed at improving cybersecurity across the EU:

  • Implement appropriate cybersecurity measures to manage risks to networks and information systems that support essential services.
  • Conduct regular risk assessments and implement necessary technical and organizational controls to mitigate identified risks.
  • Report significant cybersecurity incidents to the relevant national authorities within 24 hours.
  • Conduct audits and compliance checks to ensure that cybersecurity measures are effective and up to date.
  • Ensure that supply chains and third-party providers comply with cybersecurity requirements.
  • Cooperate with national cybersecurity authorities and share information on threats, vulnerabilities, and incidents.
  • Appoint a responsible person for cybersecurity within the organization to oversee compliance.

What are the consequences of non-compliance?

Failure to comply with the NIS2 Directive can lead to severe consequences for organizations:

  • Fines of up to €10 million or 2% of an organization’s annual global turnover, whichever is higher.
  • Mandatory corrective actions imposed by national authorities, including enhanced supervision and inspections.
  • Potential exclusion from public contracts and government procurement processes for non-compliant companies.
  • Reputational damage due to publicized cybersecurity breaches or failures to comply with regulatory obligations.
  • Legal actions from affected individuals or organizations in the case of security breaches that cause harm.

Where can I find more information?

The official title for the NIS2 Directive is: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) 2019/881 (Cybersecurity Act) and repealing Directive (EU) 2016/1148. You can find more information on NIS2 here:

#EuropeanUnion #EuropeanEconomicArea #NIS2Directive #Cybersecurity #CriticalInfrastructure #EURegulation