Comprehensive Insight into the NIS 2 Directive Regulations

Comprehensive Insight into the NIS 2 Directive Regulations

The European Union's NIS 2 Directive, set to come into force on October 16, 2024, marks a significant shift in network and information security regulations, aiming to protect critical infrastructures and promote digital resilience. This new regulatory framework replaces the NIS 1 Directive and expands its scope, affecting a broader range of business sectors across Europe.

### Key Changes from NIS 1 to NIS 2

1. **Expanded Scope and Coverage** The NIS 2 Directive broadens the focus from Operators of Essential Services (OES) to include additional critical sectors such as public administration, waste management, space, food production, and manufacturing of critical products. It introduces a two-tier classification system, distinguishing between Essential Entities (EE) and Important Entities (IE), each with specific obligations.

2. **Stronger Security Requirements and Incident Reporting** NIS 2 sets clearer, more prescriptive cybersecurity obligations, mandating a more rigorous incident reporting process. Entities must now report cyber incidents that could significantly impact the confidentiality, integrity, or availability of services, not just those interrupting continuity.

3. **Personal Accountability for Senior Executives** Unlike NIS 1, NIS 2 imposes personal responsibility on senior executives, who may face legal consequences if their organizations experience breaches due to negligence.

4. **Greater Supervision and Enforcement** Each EU member state must appoint competent authorities responsible for audits and compliance verification. Penalties for non-compliance are higher and more uniformly defined.

5. **Supply Chain Security Emphasis** NIS 2 requires essential and important entities to ensure that their suppliers and contractors maintain robust cybersecurity to prevent indirect breaches through third parties.

### Impact on Business Sectors in Europe

- Core sectors like energy, transport, banking, and healthcare will face increased cybersecurity measures and incident reporting. - New sectors such as public administration, waste management, space industry, food production, and critical manufacturing are now subject to NIS 2 standards. - SMEs in critical sectors will increasingly be subject to compliance, reflecting the directive’s lower size threshold. - Organizations in all covered sectors must prepare for stricter audits, more transparency around cyber incidents, and potential personal liability for senior management.

The NIS 2 Directive encourages a holistic approach to cybersecurity, impacting vendor relationships and procurement policies. Compliance involves adopting a structured approach to cybersecurity, implementing technical and organizational measures, and following specific obligations.

Intesa's Security Operations Center (SOC) offers businesses a highly specialized service designed to protect IT infrastructures and ensure compliance with the new regulatory provisions. Monitoring regulatory updates and implementing regulations will be crucial to meet deadlines and ensure business continuity.

The NIS 2 Directive applies to entities with at least 50 employees or an annual turnover of more than 10 million euros, as well as smaller companies operating in critical sectors or providing essential services to obligated entities. The directive aims to strengthen digital resilience and ensure the operational continuity of organizations that provide essential services.

[1] European Commission. (2021). Proposal for a Regulation of the European Parliament and of the Council on measures for a high common level of network and information security across the Union. [2] European Parliament and the Council of the European Union. (2022). Regulation (EU) 2022/2068 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of network and information security across the Union. [3] European Commission. (2022). Frequently Asked Questions - NIS 2 Directive. [4] European Union Agency for Cybersecurity. (2022). NIS Cooperation Group. [5] European Parliament. (2022). Press release - European Parliament approves tougher cybersecurity rules for critical infrastructure.

1. The expanded scope of the NIS 2 Directive encompasses not only the energy, transport, banking, and healthcare sectors but also private companies in public administration, waste management, space, food production, and critical manufacturing, each with specific obligations attached.
2. Under the NIS 2 Directive, entities in all covered sectors must prepare for stricter audits, strengthen their cybersecurity measures, and ensure greater transparency around incidents, with senior management potentially facing personal liability.
3. The impact of the NIS 2 Directive reaches beyond direct obligated entities, as it emphasizes the need for supply chain security, requiring essential and important entities to ensure their suppliers and contractors maintain robust cybersecurity to prevent indirect breaches through third parties.

Read also: