The 2016 NIS Directive is the cornerstone of the EU’s response to growing cyber threats and challenges facing digitalization. Seven years later, revisions to this directive are gaining pace. This is to ensure appropriate levels of security for networks and information systems in to critical and sensitive industries.
The new NIS2 directive was agreed upon between the Commission, Parliament and the European Council in June 2022. It is expected to come force 18 October 2024.
Core NIS2 objectives at a glance:
- Manage security risks
- Appropriate governance including risk analysis, incidence handling, vulnerability handling and disclosure;
- Supply chain security between entities and suppliers or service providers;
- Risk-management measures to assess the effectiveness of cybersecurity;
- Asset management and access control policies
- Protect against cybersecurity attacks
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption
- Detect cybersecurity incidences
- Processes for monitoring and abnormality detection
- Minimize the impact of cybersecurity incidences
- Crisis management, backup management and disaster recovery
- Cyber hygiene practices and cybersecurity training
Key updates to NIS2:
- New classification system
- Distinction between operators of “essential services” and “digital service providers” will be scrapped as entities will be divided into “essential” and “important” categories
- Different levels of supervision and enforcement between “essential” and “important” entities
- “Essential” entities are subject to more stringent regulations including
- Regular audits;
- Evidence of proactive adoption and implementation of cybersecurity measures;
- Harsher penalties for non-compliance
- Widening the scope of entities subject to the reporting and cybersecurity risk measures requirements
- All medium and large companies in selected sectors will be included in the scope and must adhere to the provisions
- New sectors will be added based on their how crucial they are for the economy and society
- Enforcing penalties
- €10 million or 2 percent of the entity’s total turnover worldwide for not complying with the reporting and/or cybersecurity risk management measures
Even entities that are not established in the EU, but offer services within the EU have to adhere to the directive. Additionally, they must also appoint a representative in the EU member state(s) where services are offered.
Across the Atlantic, in the United States, CISA is working in tandem with NIST to build the NIST Cybersecurity Framework 2.0 that is also slated to be in force in Winter 2024. This will likely introduce similar measures.
Read more about expanding global cybersecurity legislation here, check out this webinar with mobile phone and IoT security expert, David Rogers, or reach out to ZARIOT’s industry experts today to ensure your solutions are at the cutting edge of technology and compliance.
NIS Directive Article 4(4) sectors and sub-sectors subject to provisions of the Directive
| Sector | Subsector | Type of Entity |
| Energy | Electricity | Suppliers |
| Energy | Oil | Operators of transmission pipelines |
| Energy | Operators of oil production, refining, and treatment facilities, storage and transmission | |
| Energy | Gas | Supply undertakings |
| Energy | Distribution, transmission, and storage system operators | |
| Energy | LNG system operators | |
| Energy | Natural gas undertakings | |
| Energy | Operators of natural gas refining and treatment facilities | |
| Transport | Air transport | Air carriers |
| Transport | Airport managing bodies, airports, and entities operating ancillary installations within airports | |
| Transport | Traffic management control operators providing air traffic control (ATC) services | |
| Transport | Rail transport | Infrastructure managers |
| Transport | Railway undertakings | |
| Transport | Water transport | Inland, sea and coastal passenger and freight water transport companies |
| Transport | Managing bodies of ports including their port facilities | |
| Transport | Operators of vessel traffic services | |
| Transport | Road transport | Road authorities responsible for traffic management control |
| Transport | Operators of Intelligent Transport Systems | |
| Banking | Credit institutions | |
| Financial market | Operators of trading venues and central counterparties | |
| Healthcare | Hospitals and private clinics | Healthcare providers |
| Water supply/distribution | Suppliers and distributors of water intended for human consumption | |
| Digital infrastructure | Internet Exchange Points (IXPs) DNS service providers Top-Level Domain (TLD) name registries |
