What is NIS Directive 2.0?
The NIS 2.0 Directive is the second version of the Directive on the Security of Network and Information Systems, adopted by the European Union in December 2020. It aims to further improve cybersecurity at European level, taking into account the evolution of cyber threats and the increasing digitalisation of services.
NIS 2.0 replaces the previous NIS Directive of 2016, expanding its scope and strengthening security requirements. It seeks to improve resilience and security in critical and digital sectors, adapting to the constant evolution of digital infrastructures and new emerging threats.
Who is it addressed to?
NIS 2.0 addresses a broader set of organizations compared to its predecessor:
- Essential Service Operators (OSE): Includes critical sectors such as energy, transportation, health, water and finance.
- Digital Service Providers (DSPs): Encompassing cloud computing services, e-commerce platforms and search engines.
- Public administrations: Addressing not only cybersecurity in the private sector, but also in the public sphere, ensuring the protection of government services.
Goals
- Improve resilience and preparedness: Increase the ability of organizations to manage cyber risks and effectively respond to incidents.
- Establishing uniform requirements: Creating a homogenised framework across the EU that guarantees safety across all sectors and member countries.
- Foster cooperation and information sharing: Promote closer coordination between national authorities and companies to share information on threats and vulnerabilities.
- Reinforcing the importance of cybersecurity in systems development: Instilling the need to adopt cybersecurity practices throughout the life cycle of products and services.
Key Features of NIS 2.0
As we said before, this version is much more demanding than its predecessor:
Organizations are required to implement more robust security measures, including risk management policies , data protection, and incident response plans.
Organizations must notify appropriate authorities of significant incidents, with notification times reduced to 24 hours for critical incidents.
Periodic risk assessments and implementation of corrective actions are required to mitigate detected vulnerabilities.
NIS 2.0 introduces stricter penalties for non-compliance, which may include significant fines, depending on the severity of the violation.
It requires Member States to establish cooperation groups and a framework for the exchange of information on cybersecurity, fostering a culture of collaboration and communication on cybersecurity.
How to comply with NIS 2.0
Implementation of security measures
Organizations should take a proactive approach to identifying and managing risks, including implementing technical and organizational security controls.
Develop an incident response plan
Create a clear framework that sets out how security incidents will be managed and reported, ensuring all employees are aware of the procedures.
Conduct risk assessments
Conduct regular cybersecurity and risk management reviews to detect vulnerabilities and continually improve security posture.
Investment in training and talent development
Train staff on cybersecurity and foster a security culture throughout the organization. Ongoing training is essential to maintain awareness and preparedness for cyberattacks.
Establishment of collaboration mechanisms
Collaborate with other organizations and sectors to share experiences and best practices in cybersecurity.
Compliance with NIS 2.0 is not optional and requires a robust organizational effort. Organizations that fail to comply with the stated requirements may face significant fines and other penalties, including temporary or permanent closure of critical infrastructure-related activities.
The NIS 2.0 Directive is essential to strengthening cybersecurity in Europe. By expanding responsibility and cooperation in cyber risk management, it establishes a robust framework that helps organisations improve their resilience to cyber threats. Compliance with NIS 2.0 is not only a legal requirement, but also an opportunity to strengthen trust between customers and business partners by ensuring the security and operational continuity of critical services.
