The NIS2 Directive represents a significant step forward in European cybersecurity regulations, extending its scope to include more sectors and companies, including small and medium-sized enterprises (SMEs). This new approach underscores the importance of all entities, regardless of their size, in maintaining a secure and resilient digital infrastructure.
The Context of the NIS2 Directive
The NIS Directive (EU 2016/1148), implemented in Spain through the Real Decreto-Ley 12/2018, established the framework for the security of networks and information systems. However, deficiencies were identified that led to uneven application of cybersecurity across the European Union. The NIS2 Directive (EU 2022/2555), published in December 2022, aims to address these shortcomings and must be integrated into national legislation by October 17, 2024.
Main Changes in NIS2
1. Scope Extension: NIS2 extends its application to a greater number of sectors and companies, including medium-sized and, in some cases, small or micro-enterprises.
2. High Criticality Sectors and Other Critical Sectors: New sectors and subsectors classified as highly critical, as well as the inclusion of other critical sectors, are added to the regulations.
3. Essential and Important Entities: The directive classifies entities as essential and important, establishing different levels of supervision and requirements for each.
4. Notification Obligations and Implementation of Measures: All affected entities must adopt security measures and report significant incidents.
Implications for SMEs
NIS2 highlights the importance of SMEs in the digital ecosystem. While the directive focuses on larger entities, it also recognizes the vital role of SMEs, especially those that are sole providers of essential services or whose operations have a significant cross-border impact.
Preparation for NIS2
For affected companies, it is crucial to begin preparing to meet the requirements of NIS2. This involves assessing current cybersecurity capabilities, raising awareness and training staff, and familiarizing themselves with incident notification and management processes. The tools and resources provided by INCIBE can be of great help in this process.
The NIS2 Directive underscores the importance of robust and uniform cybersecurity throughout the European Union, highlighting the crucial role of all businesses, including SMEs. Its effective implementation will strengthen the resilience of information systems and networks against cyber threats, benefiting both companies and society as a whole. Preparation and adaptation to this new regulation are essential to ensure the continuity and security of economic and social activities in the digital environment.
via: INCIBE: Part 1 and Part 2. Ciberseguridad Europa.