The Network and Information Systems (NIS) 2 Directive (“NIS 2 Directive”) has been published in the Official Journal of the European Union (“EU”) on 27 December 2022. The NIS 2 Directive aims to strengthen, expand and harmonise the existing cybersecurity framework in the EU.
The NIS Directive (Directive 2016/1148/EC) (“NIS 1”) which the NIS 2 Directive replaces focused on protecting the critical cybersecurity infrastructure of the EU. The NIS 2 Directive that builds upon this legal framework shifts its focus towards a common cyber risk management, incident reporting and information-sharing obligations in the EU.
The NIS 2 Directive has been introduced to overcome the limitations of the NIS 1. The application scope of NIS 2 Directive includes all entities that; (i) provide their services or carry out their activities in the EU; and (ii) match the description of either an “essential” or an “important” entity in a defined list of sectors. These sectors include banking, financial banking infrastructure, digital providers, cloud service providers, business-to-business ICT service management, etc. The exceptions to these include small and micro businesses which are kept outside the scope in many cases, and the entities that Member States make exemptions for which carry out activities in the areas of national security, public security, defence or law enforcement.
The topics that the NIS 2 Directive differs from the NIS 1 includes the elimination of the previous classification of the entities that was brought with the NIS 1, Member States’ responsibilities, and the additional sectors brought with the NIS 2 Directive.
NIS 2 Directive eliminates the “operators of essential services” or “digital service providers” classification that was brought with the NIS 1. NIS 2 Directive classifies entities as “essential” or “important” with this classification depending on sector or the type of service provided and the entity’s size. All essential and important entities are subject to the same cybersecurity risk management requirements and incident reporting obligations, whereas appropriateness and proportionality requirements will differ according to an entity’s risk exposure, importance and size under the NIS 2 Directive.
NIS 2 Directive will also create a new body called “The European Cyber Crises Liaison Organisation Network” (EU-CyCLONe), for the co-ordinated management of large-scale cybersecurity incidents, and to assure flow of information between Member States and EU bodies. Also under the NIS 2 Directive, ENISA will be given the task to develop and maintain a “European cyber vulnerability registry” to enable entities to document their vulnerabilities.
NIS 2 Directive imposes a set of core policies to all entities that fall within its scope. These policies include risk analysis and incident response, encryption and cryptography, vulnerability disclosure, cybersecurity training and ICT supply chain security, etc.
NIS 2 Directive ensures a minimum level of harmonisation. However, Member States may adopt or maintain provisions that impose higher standards than the NIS 2 Directive.
The NIS 2 Directive will enter into force on 16 January 2023. By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive and apply those measures from 18 October 2024.
You may reach the full text of the Directive via the link below.