How cyber security will change with NIS 2

published on 18 Octiober 2021 | reading time approx. 3 minutes

Directive (EU) 2016/1148 (commonly referred to as the NIS Directive) was introduced to define the measures necessary to achieve a high level of security of networks and information systems, mainly involving Essential Service Operators (OES) and Digital Service Providers (DSP) in various sectors, including that of health, energy, transport, digital infrastructure and water supply.

The main requests to OESs and DSPs mainly concern the adoption of technical and organizational measures in order to increase the security of their networks and IT systems, the adoption of appropriate measures in order to prevent security incidents and/or minimize their impact to ensure the continuity of the service and finally, the communication to the competent authority without undue delay of any security incident that has a significant impact on the continuity of the service provided.

However, in the first version of the Directive, some problems were found in terms of clarity, as the scope of application of OESs and DSPs was not sufficiently defined, leaving Member States with enough discretion in how to implement the requirements as well as in identifying the entities involved. Furthermore, the "coverage" of the sectors was found to be too limited, as the Directive was no longer able to reflect all sectors providing essential services to the economy and society.

In addition to the aforementioned, following the digitization of recent years and greater interconnection, followed by a significant increase in cyber security risks (due to the increase in the use of Cloud services following the massive adoption of remote work (smartworking) caused by the Covid-19 pandemic, the introduction in our daily life of fifth generation (5G) telephony and mobile connectivity technologies and IoT devices), the European Commission has proposed a repeal of the Directive through the introduction of a new one, the so-called NIS 2.

What is going to change in the NIS 2?

These are some important differences between the old and the new Directive:

The new proposal eliminates the distinction between OES and DSP, instead classifying entities as either essential or important;
The coverage of the Directive is expanded in order to cover new sectors (e.g. waste water management, food, space and so on) based on their criticality for the economy and society, including, for this purpose, all medium and large companies of these sectors. At the same time, Member States are guaranteed flexibility in identifying smaller entities with a high-risk profile;
The establishment of a European Cyber Crises Liaison Organization Network (EU-CyCLONe) is proposed in order to support the coordinated management of cybersecurity on large-scale incidents and crises at EU level;
Greater coordination is established in the disclosure of new vulnerabilities discovered throughout the Union;
A list of administrative sanctions (similar to those of the GDPR) is established, including fines for violating cybersecurity risk reporting and management obligations;
The proposal strengthens security requirements for businesses by enforcing a risk management approach and providing a minimum list of basic security elements that must be applied. In addition, it introduces more precise provisions on the process of reporting incidents, the content of the reports and the timing (within 24 hours of the discovery of the incident);
The proposal introduces stricter supervisory measures for national authorities, stricter enforcement requirements and aims to harmonize sanctioning regimes across Member States;
At European level, the proposal strengthens cybersecurity for key information and communication technologies. Member States, in cooperation with the Commission and ENISA, will have to carry out coordinated risk assessments of critical supply chains, building on the effective approach taken in the context of the Commission Recommendation on cybersecurity of 5G networks.

With the revision of the NIS Directive, therefore, the European Commission proposes a re-elaborated version of the level of cyber security throughout the Union in order to increase the resilience of the various sectors involved, both in the public and private spheres.