The NIS (Network and Information Systems) Directive was the first piece of EU-wide legislation that aimed to improve the security of network and information systems across the European Union. Since its publication in 2016, impacted organizations are required to take appropriate measures to secure their network and information systems and to report any incidents that have a significant impact on the continuity of their services. This includes measures such as regularly updating software and security protocols and implementing access controls to prevent unauthorized access to systems.
The updated directive has been designed to expand and harmonize the original scope, while introducing more stringent supervisory measures and stricter enforcement requirements. The final text of NIS2 has been passed by the European Union and was published on the EU Journal website December the 27th, 2022. It will pass into law on the 16th of January 2023 and organizations will then have 21 months to demonstrate compliance with NIS2 or face supervisory action.
NIS2 has the ambition to reduce the losses to cybercrime by 11.3 billion Euro per year. For this aspiration to become reality, an estimated cybersecurity budget increase by 22% will be required for newly selected organizations, and by 12% for organizations that were previously affected by the current NIS directive.
The renewed directive now applies to broader vertical industries; it expands the current definition of ‘critical service providers’ by adding a second category of ‘important service providers.’ In an attempt to avoid fragmentation across the member states, NIS2 also streamlines reporting obligations and introduces harmonized sanctions across the EU. This includes fines and penalties for non-compliance with cybersecurity best practices.
The NIS2 Directive strengthens cybersecurity requirements imposed on supply chains and supplier relationships. Fines for essential entities can reach 2% of Global revenue or €10 million euros, while important entities face 1.4% of global revenue or €7 million euros.
Article 21 describes the best practices obligations that essential and important entities will be supervised to comply with. The legislation introduces tighter cybersecurity obligations for risk management, reporting and information sharing:
While the spirit of NIS2 is to encourage a culture of risk management, rather than reacting to breaches and incidents, we believe the Armis platform is uniquely positioned to address some of the core obligations stipulated by this directive:
The expansion of the original NIS scope – by adding more entities and sectors to take cybersecurity risk management measures – should help increase the level of cybersecurity in Europe in the medium and longer term. As technologies converge, Armis remains available to help organizations in essential and important sectors.
Sign up to receive the latest news