The NIS2 Directive (Network and Information Security Directive 2) is an update of the European Union’s original NIS Directive, designed to improve and strengthen cybersecurity across the EU.

What is the NIS2 Directive?

The NIS2 Directive (Network and Information Security Directive 2) is an update of the European Union’s original NIS Directive, designed to improve and strengthen cybersecurity across the EU.

It is an update of the NIS2 Directive, and this happens to address in some way the shortcomings identified in the original NIS Directive. In this way we broaden its scope and improve the requirements for security and cooperation between member states.

Main Objectives of the NIS2:

1. Expanded Scope: Covers a greater number of sectors and entities essential to the economy and society.
2. Enhanced Security Requirements: Implements stricter and more detailed cybersecurity requirements.
3. Risk Management and Incident Notification: Reinforces the need to manage risks and report security incidents in a timely manner.
4. Cooperation and Coordination: Improves cooperation and coordination between EU Member States.
5. Supervision and Enforcement: Grants greater powers to national authorities to supervise and enforce the directive.

Who must comply with it?

The NIS2 Directive significantly expands the number of sectors and entities that must comply with its requirements. This includes both operators of essential services and digital service providers.

The following are the key sectors and entities that must comply with the NIS2, it is an important list but it allows us to categorize the sectors.

Key Sectors:

1. Energy:

• Electricity
• Gas
• Oil

2. Transportation:

• Airlines and airports
• Railroads
• Maritime transportation and ports
• Road transportation

3. Banking and Finance:

• Banking institutions
• Financial market infrastructure

4. Health:

• Healthcare providers
• Laboratories and manufacturers of medical products

5. Drinking Water and Wastewater:

• Drinking water suppliers
• Wastewater management services

6. Digital Infrastructure:

• DNS Service Providers
• Data centers
• Content Delivery Networks(CDN)

7. Public Administration:

• Government entities and public administrations

Digital Service Providers:

• Online search engines
• Cloud computing services
• E-commerce platforms

Key Compliance Requirements:

1. Security measures

• Implement appropriate technical and organizational measures to manage the risks that affect the security of its networks, as well as any type of information system.
• It is important to stress the importance of updating security policies on a regular basis to address new threats and vulnerabilities.

Incident Management:

• Establish procedures for detecting, managing and reporting security incidents.
• Report significant incidents to the appropriate authorities within a specified timeframe (generally 24 hours for initial notification).

3. Risk Assessment and Management:

• Conduct regular risk and vulnerability assessments.
• Implement risk mitigation and contingency plans.

4. Training and Awareness:

• Provide ongoing cybersecurity training to staff.
• Promote a safety culture within the organization.

5. Cooperation and Communication:

• Collaborate with other national and international entities and authorities in the management of cybersecurity incidents.
• Participate in information exchange initiatives on threats and vulnerabilities.

6. Supervision and Compliance:

• Submit to periodic audits and reviews by the competent authorities.
• Comply with sanctions and corrective measures imposed in case of non-compliance.

Conclusion

The NIS2 Directive establishes a broader and stricter framework for improving cybersecurity in the EU, covering a greater number of critical sectors and entities. Those organizations operating within these sectors must comply with the NIS2 requirements by implementing appropriate security, risk management and incident reporting measures, as well as collaborating with other entities and authorities to strengthen resilience to cyber threats.