On 17 October 2024, the European Union implemented the Network and Information Security Directive 2 (NIS2), a significant advancement in cybersecurity legislation aimed at bolstering the defenses of critical infrastructure across various sectors. With the primary goal of enhancing the cybersecurity capabilities of essential and important organizations, NIS2 introduces a comprehensive framework requiring operators to adopt minimum cybersecurity standards and report cyber incidents.
The directive expands the scope of its predecessor, the original NIS directive, covering a wider array of industries including energy, transport, healthcare, and digital services. Central to its objectives, NIS2 seeks to improve supply chain security and streamline the reporting process for cybersecurity incidents. Non-compliance could lead to hefty fines, emphasizing the directive’s enforcement of stricter measures across the EU.
NIS2 categorizes organizations impacted by the directive into two primary groups: essential entities, which are large organizations with specific employee and financial metrics, and important entities, including medium-sized organizations. This broad coverage signifies that many more public and private entities will now be held accountable under cybersecurity regulations, creating a more uniform approach to securing infrastructure.
Key components of NIS2 include a duty of care regarding security practices, reporting obligations for cyber incidents, and supervisory mechanisms to ensure compliance. Organizations in sectors outlined in Annex 1, such as banking and drinking water services, will face more rigorous scrutiny regarding their cybersecurity policies. For comprehensive details on the directive, organizations can refer to the official legal text at EUR-Lex – 32022L2555.