The cybersecurity landscape is constantly evolving, and cyberattacks are growing in number, scale and sophistication.
- In fact, according to a study, cybercrimes cost the world $6 trillion annually, representing the greatest transfer of economic wealth in history. It is also expected to reach USD 10.5 trillion annually by 2025.
- Every 11 seconds, there is a new ransomware attack on businesses.
- The global average cost of a data breach was $4.35 million in 2022, and it took an average of 277 days -about 9 months- to detect and contain a data breach.
Even though businesses increase their security budgets and try to adopt more advanced defence mechanisms, keeping up with these threats will continue to be a challenge in the upcoming years.
To respond to the growing threats that come with increased digitalisation and cyberattacks, the European Union has recently passed the Network and Information Systems (NIS) 2 Directive.
In this article
What is the NIS2 Directive about?
The new EU Directive, NIS2, imposes stricter legal requirements for cybersecurity in Europe with the goal of:
- Strengthening cyber-resilience of a comprehensive set of businesses operating in the EU across all relevant sectors,
- Achieving a managed security posture maturity,
- Addressing the security of supply chains,
- Streamlining reporting obligations,
- Introducing stricter supervisory security measures
- And achieving deep-rooted cyber resilience in Europe.
The NIS2 Directive brings legal requirements for cybersecurity risk management measures and reporting obligations.
It’ll help around 160,000 entities tighten their grip on security and make Europe a safe place to live and work. It will also enable information sharing with the private sector and partners around the world.
How does the NIS2 Directive boost the overall level of cybersecurity in the EU?
The NIS2 Directive provides legal measures to increase cybersecurity in the EU by ensuring and
- Building on the NIS1 strategy on the security of network and information systems to ensure Member States are appropriately equipped and prepared,
- Establishing corporation and information exchange among all the Member States by setting up The Network and Information Systems Coorporation Group ,
- Creating a culture of security across 7 sectors vital for the economy and society that also rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
What is different compared to the NIS Directive?
- Compared to the previous regulatory framework, the scope has been extended to "all medium-sized and large entities active in the sectors covered by the NIS2 framework which would hence have to comply with the security rules put forward in the proposal".
- Additionally, cybersecurity governance takes on a stronger role for NIS2 than it did for NIS Directive, with approval and supervision duties imposed on the top-level management.
What is the deadline for the NIS2 Directive?
As this is a directive and not a regulation, European member states must transpose the new act into national law by 18 October 2024.
What are the key provisions of the NIS2 Directive?
The NIS2 Directive aims to adapt to the current needs and make it future-proof. It introduces several key provisions that aim to enhance organisations’ cybersecurity in the EU. These include:
- Expansion of Scope
One of the most significant changes introduced by the NIS2 Directive is the expansion of scope. The directive applies to a broader range of organisations than the previous iteration, including online marketplaces, search engines, and cloud computing services.
This expansion of scope aims to ensure that a more extensive range of organisations is held accountable for the security of their networks and information systems.
- Cybersecurity Incident Reporting
Under the NIS2 Directive, organisations that provide essential services must report any significant cybersecurity incidents to the relevant national authority. This provision aims to improve the response time to cyber threats and ensure that member states have a comprehensive overview of cybersecurity incidents across the region.
It is worth noting that some member states already have mandatory reporting requirements in place, and the NIS2 Directive builds upon these requirements.
- Strengthening of Security Requirements
The NIS2 Directive also strengthens the security requirements for organisations that provide essential services. These requirements include implementing appropriate technical and organisational measures to ensure the security of their networks and information systems.
They must also ensure effective incident response plans are in place to mitigate the impact of any cybersecurity incidents.
- Certification Schemes
The NIS2 Directive introduces a framework for creating certification schemes for cybersecurity products and services. These schemes will help identify and select products and services that meet a high level of security requirements.
They will also promote the development of cybersecurity products and services that meet the needs of the EU market.
You might also be interested in reading What Every Business in the EU Needs to Know About the NIS2 Directive.
External Content: YouTube Video
In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis.
You can find more information about the handling of your personal data in our privacy policy.
What are the benefits of the NIS2 Directive?
The NIS2 Directive offers several benefits for organisations across the EU. These include:
- Improved Cybersecurity
By expanding the scope of the directive and strengthening the security requirements for organisations, the NIS2 Directive aims to improve overall cybersecurity in Europe. This will help to mitigate the risk of cyberattacks and ensure that organisations are better prepared to respond to cyber threats.
- Increased Cooperation
The NIS2 Directive promotes cooperation between member states and encourages sharing information about cybersecurity incidents. This increased cooperation will help member states to respond more effectively to cyber threats and improve overall resilience.
- Promotion of Innovation
The NIS2 Directive promotes the development of cybersecurity products and services that meet the needs of the EU market. This will help to stimulate innovation in the cybersecurity industry and create new opportunities for businesses in the region.
What is next?
The NIS2 Directive is a significant step forward in improving cybersecurity across the EU.
It’ll help businesses across different industries be appropriately equipped and prepared for cyber-attacks and establish a culture of security.
According to the European Commission, The Directive will be transposed by the Member States by 17 October 2024 (21 months of entry into force of NIS2). The Commission then will periodically review the functioning of the Directive and report on this for the first time by 17 October 2027 to the Parliament and to the Council.
How can DataGuard help?
At DataGuard, we help businesses enhance their security posture. Whether you’re looking for industry-specific advice, support to set up your information security management system or lower the chance of a costly breach, we help you get things done right. Get in touch with our experts today to find out more.