In this short blog article, we aim to highlight the differences brought by the NIS2 Directive, compared to the previous NIS mandate.
NIS Directive
The NIS Directive (Network and Information Security) was the first legislative act of the European Union that provided a uniform approach to cybersecurity across all member states. The purpose of this directive was to implement a common high level of cybersecurity in all these countries.
In the context of increasing security threats resulting from digitalization processes and the current geopolitical situation, the implementation of the NIS Directive 1 proved to be difficult and fragmented in each state.
Thus, the NIS Directive 2, which came into effect on January 16 of the current year, aims to expand the scope in terms of sectors and entities and provides new clarifications regarding incident reporting and sanctions. Member states have 21 months to transpose it into national legislation, and companies will be required to comply with the directive’s provisions starting in the fall of 2024. Although it may seem like there is enough time until then, it is important for companies to prepare in advance with compliance, based on cybersecurity policies and the current level of readiness.
Specifically, what are the changes introduced by NIS Directive 2 compared to NIS Directive 1?
1. Improved monitoring and enforcement methods: A list of sanctions has been introduced, including fines for violating risk management directives and reporting obligations.
2. Establishment of an organization to facilitate the coordination of security incident management at the EU level (EU-CyCLONe): This body will assist in cooperation between member states regarding the discovery of new vulnerabilities.
3. Cybersecurity risk management: Strengthening requirements regarding the measures taken in the event of security incidents, crisis management, procedures and policies in discovering and disclosing vulnerabilities, good practices for cybersecurity awareness and training of employees, the use of encryption, access control policies, and asset management.
Targeted Activity Areas
NIS Directive 2 covers more industries and sectors than the initial one, incorporating those initially included in NIS:
- Healthcare
- Digital infrastructure
- Transportation
- Water
- Energy
- Banks and financial services
- Digital service providers
Additionally, the following are added:
- Electronic communications providers, networks, or services
- Digital service providers such as social networking platforms and Data Center hosting services
- Wastewater and waste management
- Food industry
- Public Administration
- Postal and Courier Services
- Space Industry
- Manufacturin
You can find a detailed list, along with explanations for each sector, in the complete text of the directive in Romanian.
In conclusion,
Arctic Stream experts are available to assess the cybersecurity posture of your company and recommend best practices and suitable solutions for your business objectives. Additionally, our training division can provide specialized courses on risk awareness and incident response procedures.
Other references: