EU NIS2 Directive for Critical & Important Industries

The 2016 NIS Directive is the cornerstone of the EU’s response to growing cyber threats and challenges facing digitalization. Seven years later, the new NIS2 directive was agreed upon between the Commission, Parliament and the European Council in June 2022.

The updated directive is expected to come force on 18 October 2024. Thus ensuring that appropriate levels of security for networks and information systems are maintained across all critical and sensitive industries. 

Keep up with the latest cybersecurity regulations by subscribing to our monthly newsletter.

Core NIS2 objectives at a glance: 
  1. Manage security risks 
    • Appropriate governance including risk analysis, incidence handling, vulnerability handling and disclosure; 
    • Supply chain security between entities and suppliers or service providers; 
    • Risk-management measures to assess the effectiveness of cybersecurity; 
    • Asset management and access control policies 
  2. Protect against cybersecurity attacks 
    • Policies and procedures regarding the use of cryptography and, where appropriate, encryption  
  3. Detect cybersecurity incidences 
    • Processes for monitoring and abnormality detection 
  4. Minimize the impact of cybersecurity incidences 
    • Crisis management, backup management and disaster recovery 
    • Cyber hygiene practices and cybersecurity training 
Key updates to NIS2: 
  1. New classification system  
    • Distinction between operators of “essential services” and “digital service providers” will be scrapped as entities will be divided into “essential” and “important” categories 
  2. Different levels of supervision and enforcement between “essential” and “important” entities 
    • “Essential” entities are subject to more stringent regulations including  
    • Regular audits; 
    • Evidence of proactive adoption and implementation of cybersecurity measures; 
    • Harsher penalties for non-compliance 
  3. Widening the scope of entities subject to the reporting and cybersecurity risk measures requirements  
    • All medium and large companies in selected sectors will be included in the scope and must adhere to the provisions 
    • New sectors will be added based on their how crucial they are for the economy and society 
  4. Enforcing penalties  
    • €10 million or 2 percent of the entity’s total turnover worldwide for not complying with the reporting and/or cybersecurity risk management measures 

Even entities that are not established in the EU, but offer services within the EU have to adhere to the NIS2 directive. Additionally, they must also appoint a representative in the EU member state(s) where services are offered.   

Simultaneously, CISA in the United States is working in tandem with NIST to build the NIST Cybersecurity Framework 2.0. This updated framework is slated to come into force in Winter 2024 and is expected to introduce measures similar to the NIS2 Directive.

Read more about expanding global cybersecurity legislation here, check out this webinar with mobile phone and IoT security expert, David Rogers, or reach out to ZARIOT’s industry experts today to ensure your solutions are at the cutting edge of technology and compliance.    

NIS Directive Article 4(4) sectors and sub-sectors subject to provisions of the Directive 
SectorSubsector Type of Entity 
EnergyElectricity Suppliers 
EnergyOil Operators of transmission pipelines 
EnergyOperators of oil production, refining, and treatment facilities, storage and transmission 
EnergyGas Supply undertakings 
EnergyDistribution, transmission, and storage system operators 
EnergyLNG system operators 
EnergyNatural gas undertakings 
EnergyOperators of natural gas refining and treatment facilities 
TransportAir transport Air carriers 
TransportAirport managing bodies, airports, and entities operating ancillary installations within airports 
TransportTraffic management control operators providing air traffic control (ATC) services 
TransportRail transport Infrastructure managers 
TransportRailway undertakings 
TransportWater transport Inland, sea and coastal passenger and freight water transport companies 
TransportManaging bodies of ports including their port facilities 
TransportOperators of vessel traffic services 
TransportRoad transport Road authorities responsible for traffic management control 
TransportOperators of Intelligent Transport Systems 
Banking Credit institutions 
Financial market Operators of trading venues and central counterparties 
HealthcareHospitals and private clinics Healthcare providers 
Water supply/distribution Suppliers and distributors of water intended for human consumption 
Digital infrastructure Internet Exchange Points (IXPs)
DNS service providers  
Top-Level Domain (TLD) name registries 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>