The NIS2 Directive (2023) introduces significant improvements and changes compared to NIS1 (the original NIS Directive from 2016). Learn more about it below and how the new NIS2 requirements impact countries within the EU as well as the UK.
What is NIS2?
NIS2 refers to the Network and Information Security Directive 2, an updated European Union (EU) legislative framework designed to enhance the security of network and information systems across EU member states. It replaces the earlier NIS Directive (2016), expanding its scope and addressing the growing cyber security challenges faced by critical infrastructure sectors and digital service providers.
The new NIS directive introduces requirements in four key areas: risk management, corporate accountability, reporting obligations, and business continuity.
NIS2 is intended to strengthen the EU’s overall cyber security posture and address the growing complexity and interconnectivity of today's digital landscape. The directive came into effect in 2023, with member states expected to implement it by October 17th 2024.
What are the differences between the Initial NIS Directive and NIS2?
- Broader Scope: NIS2 includes more sectors introducing the term ‘Essential and Important Entities.’ It now includes more sectors like public administration, space, waste management, food production, and more digital infrastructure providers like content delivery networks, managed service providers, and data centres
- Uniform Inclusion: NIS2 applies to all large and medium-sized organisations in its outlined sectors, ensuring consistent rules across the EU.
- Stricter Security Requirements: Part of NIS2 requirements mandates stronger cyber security measures, including risk management, supply chain security, and board-level accountability.
- Clear Incident Reporting: NIS2 requirements specify that incidents are to be reported within 24 hours, with structured follow-ups.
- Supply Chain Focus: NIS2 emphasises managing third-party and supply chain risks (see our blog: Is Your Supply Chain Your Weakest Link?)
- Consistent Penalties: The NIS2 compliance introduces higher, standardised fines for non-compliance, up to 2% of global turnover.
- Enhanced Cooperation: Strengthens EU-wide coordination on incident response and threat intelligence sharing.
- Centralised Oversight: NIS2 ensures more consistent enforcement across member states through national authorities.
- Risk Management: NIS2 has clearer, detailed guidelines on risk management practices.
- Critical Entities Resilience (CER): Introduces broader resilience measures beyond cyber security for critical sectors.
How to achieve NIS2
To achieve NIS2 compliance, organisations need to start by assessing whether they fall under the directive's scope as an Essential or Important Entity. This involves determining if they operate in a critical sector such as energy, transport, health, or digital services. An audit of current cyber security practices should then be conducted to identify areas where improvements are needed. Key areas to focus on include risk management, incident detection, response mechanisms, and supply chain security, ensuring third-party vendors meet cyber security standards.
Organisations must implement clear incident reporting procedures, with the ability to notify authorities within 24-72 hours of significant incidents. Strengthening security controls such as encryption, access management, and regular vulnerability assessments is essential.
Additionally, board-level responsibility for cyber security should be established, ensuring that leadership is accountable for implementing robust security measures. Continuous monitoring, regular audits, and alignment with national authorities will help maintain compliance and manage ever-evolving cyber security threats.
What does NIS2 mean for the UK?
Although NIS2 and the NIS2 requirements do not apply to the UK, who are no longer part of the EU, UK organisations that fall under the scope must be compliant to do business in the EU, which applies to a vast percentage of businesses in the UK. UK organisations involved in EU supply chains may need to meet stricter cyber security requirements, and there could be increased compliance costs.
It’s good for organisations in the UK to be aware of this new cyber security legislation, as although it doesn’t directly affect them now, it promotes the right behaviours that you should be undertaking, and gives a good indication of what is potentially to come in the UK, should the UK choose to align its own NIS regulation with NIS2, a high possibility given the interconnected nature of digital services and infrastructure between the UK and the EU.
The Cyber Security and Resilience Bill
Earlier this year, the Government introduced a new Bill to strengthen the UK’s cyber security and resilience. In the King’s Speech, the Cyber Security & Resilience Bill was announced as part of a broader set of initiatives under the government's National Cyber Strategy aimed at enhancing the nation's cyber defences and addressing rising threats, particularly in critical national infrastructure sectors like energy, transportation, and healthcare. It mandates strict cyber security standards for operators of essential services and introduces penalties for non-compliance.
The bill also gives the UK government enhanced regulatory powers to enforce these standards, ensuring that organisations adopt robust security practices to mitigate risks and protect vital services.
Additionally, the bill promotes resilience by focusing on strategies to recover quickly from cyber attacks and minimise disruptions. It encourages collaboration between the public and private sectors to share information and coordinate responses to cyber threats. The legislation also addresses emerging risks associated with new technologies like AI, IoT, and 5G, and supports the development of the National Cyber Force, the UK's cyber defence unit, to deter and counteract cyber attacks from foreign actors.
The Cyber Security and Resilience Bill is not far dissimilar from the NIS2 directive. Businesses can prepare now by looking at the NIS2 framework and applying those security controls ahead of time - like we have done at Sharp already.
