NIS2: European directive to strengthen cybersecurity in critical infrastructures

The NIS2 Directive marks a significant advancement in cybersecurity for critical infrastructures, expanding security requirements and affecting a larger number of organizations compared to its predecessor. Below are the most relevant changes and how organizations can prepare to comply with the new regulations.

What is the NIS2 Directive?

The NIS2 Directive (Network and Information System 2) establishes minimum cybersecurity requirements for critical infrastructures in the European Union. Its aim is to strengthen cybersecurity levels in Europe and promote cooperation among member countries to combat cyberattacks. The directive came into effect on January 16, 2023, and Member States must incorporate it into their national legislation by October 17, 2024.

Main Implications of NIS2

The NIS2 Directive brings about substantial changes compared to its predecessor, including:

Expanded Scope: It extends to 18 sectors, incorporating seven new significant sectors.
Supply Chain: Organizations must assess cybersecurity risk throughout their supply chain.
Mandatory Risk Management: Cyber risk management becomes a mandatory requirement.
Training and Audits: Employee training and comprehensive cybersecurity audits are required.
Director’s Liability: Executives will be personally liable for cyber risk management breaches.
Sanctions: Various penalties are imposed for non-compliance.
Reporting Obligations: Strict reporting requirements to the supervisory authority must be met.
Response Teams: Each Member State must designate a national CSIRT (Computer Security Incident Response Team).

Essential and Significant Sectors

NIS2 directly impacts organizations in the following essential sectors:
Energy, Healthcare, Transportation, Banking and Finance, Drinking Water, Wastewater, Digital Infrastructure, ICT Service Management, Space, and Public Administration.

Additionally, it includes significant sectors such as mail services, waste management, chemicals, food, manufacturing, digital services, and research.

Director’s Responsibility

The directive emphasizes the importance of cyber risk management as an integral part of corporate governance. CEOs must oversee and implement measures to ensure risks are identified and managed appropriately.

Compliance Director Requirements

Those leading regulatory compliance in their organizations must be familiar with regulations, document actions taken, and verify their effectiveness. Additionally, they should implement procedures to report incidents to the BSI within 24 hours in case of an attack.

Penalties for Non-Compliance

Penalties for non-compliance with NIS2 vary by sector:
Common breaches: Fines of up to 2 million euros.
Significant sectors: Fines of up to 7 million euros or 1.4% of annual turnover.
Critical infrastructure providers: Fines of up to 10 million euros or 2% of annual turnover.

The NIS2 Directive redefines the cybersecurity framework in Europe, imposing stricter obligations to protect critical infrastructures. Organizations must assess their current situation, identify risks, and ensure they implement necessary measures to comply with this new regulation.

Scroll to Top