The Network and Information Security (NIS) Directive, adopted in 2016, was the first EU-wide legislation aimed at improving cybersecurity across the member states. It required essential service providers in sectors like energy, healthcare, and transport to implement cybersecurity measures and report significant incidents. However, as cyber threats evolved, the need for an updated framework led to the introduction of the NIS2 Directive.
Key Differences Between NIS and NIS2:
- Scope Expansion:
- NIS Directive focused on “essential service operators” such as energy and transport, alongside some “digital service providers” like search engines and cloud services.
- NIS2 Directive significantly broadens the scope, covering a wider range of sectors, including digital infrastructure (e.g., DNS providers), public administration, and the food sector. It now applies to both “essential” and “important” entities, depending on their size and sectoral relevance, ensuring greater protection across the economy.
- Risk Management and Cybersecurity Requirements:
- While NIS already required risk management practices, NIS2 imposes stricter requirements, particularly focusing on supply chain security and third-party risks. It also introduces obligations around incident response planning, encryption, and business continuity measures, which are designed to ensure entities are better prepared for cyber incidents.
- Incident Reporting:
- NIS required entities to report cyber incidents to national authorities within a reasonable timeframe. Under NIS2, reporting requirements are more detailed and stringent. Incidents must be reported within 24 hours, with follow-up reports required after 72 hours, and a final detailed report due within a month. This tightens the timeline significantly, making incident reporting more immediate and comprehensive.
- Harmonization Across EU Member States:
- NIS2 aims to improve consistency across the EU by introducing uniform criteria for determining which entities fall under its regulations. Unlike NIS, where national authorities had more discretion, NIS2 reduces fragmentation by providing clear guidelines for classifying entities and enforcing cybersecurity measures uniformly.
- Enforcement and Penalties:
- NIS2 introduces more robust enforcement mechanisms. Management bodies of in-scope entities are now explicitly accountable for ensuring compliance, and they can face liability if their organizations fail to meet cybersecurity obligations. The penalties are also more severe: fines can reach up to 10 million euros or 2% of global turnover for essential entities, which is a significant increase compared to NIS
.
- NIS2 introduces more robust enforcement mechanisms. Management bodies of in-scope entities are now explicitly accountable for ensuring compliance, and they can face liability if their organizations fail to meet cybersecurity obligations. The penalties are also more severe: fines can reach up to 10 million euros or 2% of global turnover for essential entities, which is a significant increase compared to NIS
Overall, NIS2 reflects the EU’s recognition of the increasingly interconnected nature of cybersecurity risks and seeks to ensure a higher level of resilience across critical sectors. This update focuses on broadening the scope, strengthening cybersecurity frameworks, and enforcing stricter reporting and compliance measures to better protect against evolving cyber threats.
If you’re concerned about how these changes impact your business, our experts can help clarify what steps to take and how to strengthen your cybersecurity measures. Reach out to connect with our specialist—we’re here to guide you through these changes and address your specific concerns.