NIS 2: Overview of the EU NIS 2 Directive 

June 5th, 2024 Posted in evalian® News

The Network and Information Systems Directive (NIS 2) (Directive (EU) 2022/2555) will start to become meaningful for organisations operating in critical sectors within the EU as we approach the second half of 2024.  

Being an EU directive, the new law needs to be transposed by member states into their domestic laws. The deadline for this is 17th October 2024. Thereafter member states are required to publish a list of the entities in scope in their country by 17th April 2025. 

This means, organisations operating in critical sectors across the EU will soon have to demonstrate compliance with the enhanced requirements set out in the new directive. In anticipation of this, and using our experience of having supporting organisations to comply with the first NIS Directive, this is the first of a series of blogs on NIS 2 and the steps required to comply with its security requirements.  

What is NIS 2?

NIS 2 is the EU directive on measures for a high common level of cybersecurity across the European Union. It builds upon and replaces the first directive on the security of network and information systems (Directive (EU) 2016/1148)  which was known as the Network and Information Systems or NIS directive. Within this blog we’ll call the first directive ‘NIS 1’ and the new directive ‘NIS 2’. 

NIS 1 was passed into law in 2016 and applied to organisations in scope from 2018. It was scoped around seven critical sectors, covering energy, transport, health, drinking water, financial market infrastructure, banking and infrastructure. 

The UK was still an EU member state until January 2020 and therefore transposed NIS 1 into UK law as the Network and Information System Regulations. These came into force in May 2018, the same month as the GDPR.  

As we’ll cover below, the EU has since identified a need to go further and across more sectors which underpin societal and economic activities and publish safety and health in its members states. This led to NIS 2 which builds upon and replaces NIS 1 

The UK is not in scope for the EU’s NIS 2 because we have since left the European Union. A UK version of NIS 2 is planned and is expected to be less extensive, but further details have not been released since the 2022 consultation response from the DCMS 

Despite this, many organisations based in the UK will also be established in the EU, meaning they should be planning for compliance with the EU version of NIS 2 and may choose to operate that the EU standard within the UK also rather than running two security compliance regimes.  

Background to NIS 2

As covered above, NIS 2 builds upon and replaces NIS 1. The first NIS directive focused on raising cybersecurity standards among operators of essential services (‘OES’) in the seven key sectors.  

When defining the security and incident reporting obligations to be met by OES, NIS 1 took something of a principles-based approach and required that OES “implement appropriate and proportionate technical and organisational measures” to manage their security risks, and to prevent and minimise the impact of security incidents. OES were also required to notify authorities about incidents affecting essential “without undue delay”. 

When transposing the NIS 1 requirements into member state law, some member states, including the UK, set a high bar for minimum compliance expectations. Specific requirements were less well defined by other member states however, leaving room for interpretation by OES in their countries. This led to inconsistency across the EU at a time when reliance on digital technologies has grown and cyber threats have accelerated 

NIS 2 has therefore been introduced to establish a higher and more consistent standard of cybersecurity across a much larger scope of entities, which the aim of improved cyber preparedness of organisations providing essential and important services.  

Key Changes in NIS 2

The new directive increases the number of sectors in scope from seven to seventeen and applies new criteria for determining whether an entity is deemed an Essential or Important entity, mainly based on the sectors it operates in and its size. The additional sectors in scope are: 

  • Public Administration 
  • Waste Water 
  • ICT Services Management 
  • Public Administration 
  • Postal/Courier 
  • Food 
  • Waste Management 
  • Digital Providers 
  • Manufacturing 
  • Chemicals 

NIS 2 also sets out more detailed security requirements to be met by Essential and Important entities to ensure a more consistent level of cybersecurity is enforced across member states. We can still expect some differences in interpretation but the core expectations for security governance, security risk management, incident response and enhanced incident reporting are set down.  

The directive also establishes a new supervision and enforcement regime, with regulators to be provided with detailed audit and inspection powers and new enforcement options. These include increased fines and even being able to hold executives personally liable for non-compliance.  

Steps to Take Now

We’ll cover this in more detail in future blogs, but as a starting point we’d recommend working with your legal and compliance teams to determine whether you are in scope of NIS 2. If so, you should identify which entities are covered and which locations.  

Your legal team will want to be tracking the status of implementation in each member state using one of the trackers available from law firms. You should also monitor for implementation guidance as it becomes available in each country where you are established (although this will likely arrive after implementation, as was the case with the GDPR). 

Thereafter we’d suggest you plan for a gap analysis in which you compare your current measures and processes against the standard, set out in the directive. Although it is much more detailed, it is not prescriptive. If you’d like more detail on what ‘good’ might look like, we’d suggested looking at the security requirements set out in the EU Digital Operations Resilience Act (or DORA) which is much more prescriptive. We anticipate member states expectations will be very similar.  

Need help or guidance with NIS 2?

If you need help with NIS 2, please get in touch. We can help you identify your NIS 2 scope and legal obligations, interpret member state laws and guidance as they become available, conduct a gap analysis of your current security posture, develop improvement plans and lead improvement workstreams. 

Evalian’s consultants are highly experienced in leading risk assessments, developing polices, conducting assurance activities and implementing security management systems cover IT and OT systems.  

We are happy to simply assist with specific elements of your NIS 2 readiness work, or we can take a more hands-on approach and guide and support your whole programme. Our supply chain security managed service, using our SupplyIQ tool, is perfectly suited to the supply chain security requirements.  

Contact us today to chat to our friendly, expert team.  

Evalian is committed to protecting and respecting your privacy. By proceeding with your inquiry, you agree to the terms of our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

 

Sean Huggett Evalian

Written by Sean Huggett

Sean specialises in data protection, information risk and cyber security. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in privacy and security strategy, management and compliance. Sean is also Managing Director at Evalian®. His qualifications include CISM, CISA, CRISC, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor, CISMP, CIPP-E, CIPT & GDPR Practitioner Certificate.