Join us today as we map the evolution of the European Union's (EU) cybersecurity regulation – a transition from the Network and Information Security (NIS) Directive to the enhanced NIS2 Directive. We’ll unravel the genesis of the NIS Directive, its more recent NIS2 counterpart, what businesses need to do to stay compliant, and, ultimately, how the EU, through its progressive legislation, is meeting the demands of our increasingly connected and digitally complex world.
In 2016, the EU introduced NIS, the first cybersecurity regulation to apply to all member countries. Each member was encouraged to establish their own Computer Security Incident Response Team (CSIRT) and competent national authorities.
NIS sought to cultivate a security-first mindset across sectors that form the backbone of the economy and society, including energy, transport, water, banking, healthcare, and digital infrastructure. Businesses functioning as operators of essential services in these sectors were asked to implement suitable security measures and promptly report significant incidents to national authorities.
The directive also extended to critical digital services providers, like search engines, cloud computing services, and online marketplaces, instilling a comprehensive approach to cybersecurity.
While the NIS directive marked a substantial step in bolstering member states' cybersecurity capabilities, its implementation proved challenging. This led to a fragmented landscape, with varying degrees of implementation across the internal market.
As the digital realm becomes more and more relevant in our lives, cyber threats are growing in number and sophistication. Recognizing this, the Commission decided to update the NIS Directive to strengthen security requirements, address supply chain security, streamline reporting obligations, and introduce stricter supervisory measures and enforcement requirements.
The new NIS2 proposal eliminates the distinctions between OES and DSP, introducing a streamlined classification of entities as essential or important. It also expands its scope to incorporate new sectors like wastewater management, food, and space, applying to all medium and large companies within these sectors.
The changes also foster better coordination in disclosing new vulnerabilities and the introduction of administrative sanctions akin to those under GDPR. Security requirements are boosted, with clearer provisions on incident reporting and more stringent measures for national authorities.
Collectively, these changes harmonize sanctioning regimes across Member States and strengthen cybersecurity for key information and communication technologies at the European level. By broadening its scope, NIS2 effectively encourages more entities and sectors to strengthen their cybersecurity defenses. This plan is set to substantially enhance Europe's cybersecurity status in the long term.
Member States must transpose the NIS2 Directive into applicable, national law by October 17, 2024, and apply those measures from October 18, 2024, onward. This means that organizations now face the task of adopting and issuing the necessary measures to comply with the local implementation of the NIS2 Directive.
In light of this, companies are urged to start their compliance journeys as soon as possible. This involves a comprehensive look at the organization's cybersecurity posture, identifying potential vulnerabilities, and building robust defenses.
Ultimately, the NIS2 Directive's enhancements are an opportunity for organizations across the EU. By taking the necessary steps towards compliance, companies are aligning with the regulations and fortifying their operations, protecting their customers, and contributing to a more resilient digital Europe.
Before wrapping up, it's important to mention a solution that can help organizations comply with NIS2 requirements: GFI LanGuard. For more than a decade, GFI LanGuard has been instrumental in assisting countless businesses around the world to manage and maintain endpoint protection across their networks. By providing comprehensive visibility into all network elements, GFI LanGuard helps pinpoint potential vulnerabilities and offers the ability to patch these weaknesses. Read more about how GFI LanGuard can help organizations comply with the new NIS2 regulation.
See immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.