NIS: EU’s First Cybersecurity Law
The Network and Information Systems Directive (NIS) was introduced in 2016 as the first European legislation on cybersecurity. Its primary objective was to increase the cyber resilience of EU Member States by identifying essential service operators in the Union and enforce cybersecurity measures, with incident reporting being a central requirement.
Why NIS was revised
However, not long after its establishment, it became clear that the implementation of the Directive varied greatly between Member States. This inconsistent implementation led to a fragmented system where some companies and organizations were considered essential in some countries, but not in others.
To rectify this, the European Commission decided to revise the NIS Directive to clearly define the organizations covered and their specific requirements, a plan that came into fruition in 2021 in the form of the Network and Information Security Directive (NIS 2).
NIS2: A Better Version of NIS
The NIS2 directive expands the scope of the original NIS Directive to include a wider range of organizations, increasing the amount of “entities” covered by a factor of 10. Where NIS only covered sectors such as water supply, energy, digital infrastructure, banking, financial market infrastructure, health, and transport, NIS2 now widens its range of affected sectors to include public administration, digital providers, space, research, postal services, waste management, foods, manufacturing and chemical products.
In addition, NIS2 also strengthens requirements for cybersecurity enforcement, including early mandatory incident reporting, widened risk management and a newly defined designation of C-level cybersecurity responsibility.
To bolster Europe’s resilience against current and future cyberthreats, the NIS 2 Directive introduces new requirements and obligations for organizations in four overarching areas: risk management, corporate accountability, reporting obligations, and business continuity.