The EU has been implementing stringent cybersecurity laws to safeguard EU countries’ critical and important infrastructure. One such law, the NIS2, has gained significant attention due to its complexity and depth. However, Cyen has taken a step towards simplifying its cybersecurity requirements  through the innovative use of infographics.

• This is the NIS2 Directive. 

On January 16, 2023, the NIS2 directive came into force. It marked a leap forward in securing the European Union’s digital ecosystem. 

• Evolution of EU cybersecurity law that created a robust framework

NIS2 builds upon a robust foundation, as the EU legal framework on cybersecurity includes the very first EU cyberscurity law (NIS Directive, 2016), the Cybersecurity Act (2019), the Regulation on European Cybersecurity Competence Centre and Network (2021), and the Cyber Diplomacy Toolbox (2019). The synergy of these laws aims to achieve a high common level of cybersecurity, fostering the well functioning of the internal market.

• Key novelties via expanding horizons, and strengthening defenses

The NIS2 Directive introduces a set of novelties, making the EU  more resilient to cyberattacks and securing its digital future. Key elements include:

Expanded scope: Unlike its predecessor NIS1, NIS2 casts a wider net, now encompassing sectors beyond the traditional critical infrastructure domains. Energy; transport; banking; financial market infrastructure; health; drinking water; digital infrastructure; wastewater;  ICT service management (business-to-business); public administration; space  fall within the ambit of “essential entities.” 

Postal and courier services; waste management; manufacturing; chemicals; food; digital providers; research fall within the scope of “important entities”

Tiered supervisory regime: Essential entities face a comprehensive, ex ante and ex post supervisory regime, subject to regular or ad hoc audits. Important entities, on the other hand undergo a lighter, ex post supervisory regime.

Timely incident response: NIS2 mandates a swift 24-hour early warning for significant incidents and a 72-hour reporting window. Coordination, disclosure, and the establishment of the EU-CyCLONe enhance the Union’s capability to manage large-scale cybersecurity incidents effectively.

Supply Chain Security: The directive places a heightened emphasis on supply chain security, acknowledging its pivotal role in safeguarding critical sectors. Supply chain attacks increased over 600% this year and companies are falling behind. 

Protection for small and medium sized businesses (SMEs): Many SMEs are not currently part of the crucial conversation around supply chain security, a focus that NIS2 addresses diligently. The directive places a heightened emphasis on the pivotal role of supply chain security in safeguarding critical sectors. With supply chain attacks increasing over 600% this year, it is evident that companies are falling behind. In this context, it becomes imperative to highlight that every small business, regardless of its current involvement, will be required to elevate its cybersecurity preparedness. This necessity arises particularly when operating within a supply chain that includes larger companies deemed essential or important entities. NIS2 underscores the significance of such measures, emphasizing the need for collective diligence to mitigate the escalating risks associated with supply chain vulnerabilities.

SME Empowerment: Recognising the unique challenges faced by Small and Medium-sized Enterprises (SMEs), NIS2 advocates for their support through designated points of contact, guidance, and assistance. It promotes the use of open-source cybersecurity tools tailored to SMEs.  CyEn, in alignment with this mission, offers professional advice and support for SMEs striving for compliance.
Aligning with GDPR: NIS2 aligns with GDPR, imposing a 72-hour incident reporting requirement. This synchronisation ensures a swift response to potential data breaches, especially critical in sectors dealing with sensitive information like healthcare.