The EU has been implementing stringent cybersecurity laws to safeguard EU countries’ critical and important infrastructure. One such law, the NIS2, has gained significant attention due to its complexity and depth. However, Cyen has taken a step towards simplifying its cybersecurity requirements through the innovative use of infographics.
- This is the NIS2 Directive.
On January 16, 2023, the NIS2 directive came into force. It markeda leap forward in securing the European Union’s digital ecosystem.
- Evolution of EU cybersecurity law that created a robust framework
NIS2 builds upon a robust foundation, as the EU legal framework on cybersecurity includes the very first EU cyberscurity law (NIS Directive, 2016), the Cybersecurity Act (2019), the Regulation on European Cybersecurity Competence Centre and Network (2021), and the Cyber Diplomacy Toolbox (2019). The synergy of these lawsaims to achieve a high common level of cybersecurity, fostering the well functioning of the internal market.
- Key novelties via expanding horizons, and strengthening defenses
The NIS2 Directive introduces a set of novelties, making the EU more resilient to cyberattacks and securing its digital future. Keyelements include:
Expanded scope: Unlike its predecessor NIS1, NIS2 casts a wider net, now encompassing sectors beyond the traditional critical infrastructure domains. Energy; transport; banking; financial market infrastructure; health; drinking water; digital infrastructure; wastewater; ICT service management (business-to-business); public administration; space fall within the ambit of “essential entities.”
Postal and courier services; waste management; manufacturing; chemicals; food; digital providers; research fall within the scope of “important entities”
Tiered supervisory regime: Essential entities face a comprehensive, ex ante and ex post supervisory regime, subject to regular or ad hoc audits. Important entities, on the other hand undergo a lighter, ex post supervisory regime.
Timely incident response: NIS2 mandates a swift 24-hour early warning for significant incidents and a 72-hour reporting window. Coordination, disclosure, and the establishment of the EU-CyCLONe enhance the Union’s capability to manage large-scale cybersecurity incidents effectively.
Supply Chain Security: The directive places a heightened emphasis on supply chain security, acknowledging its pivotal role in safeguarding critical sectors. Supply chain attacks increased over 600% this year and companies are falling behind.
SME Empowerment: Recognising the unique challenges faced by Small and Medium-sized Enterprises (SMEs), NIS2 advocates for their support through designated points of contact, guidance, and assistance. It promotes the use of open-source cybersecurity tools tailored to SMEs. CyEn, in alignment with this mission, offers professional advice and support for SMEs striving for compliance.
Aligning with GDPR: NIS2 aligns with GDPR, imposing a 72-hour incident reporting requirement. This synchronisation ensures a swift response to potential data breaches, especially critical in sectors dealing with sensitive information like healthcare.