The NIS 2 Directive stands as a pivotal piece of legislation designed to bolster cybersecurity throughout the European Union. This directive marks a notable departure from its predecessor (Directive (EU) 2016/1148) and introduces measures to establish a consistently high level of cybersecurity across the Union. By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive.
Understanding the NIS2 Directive
The NIS2 Directive, officially recognised as Directive (EU) 2022/2555, was crafted collaboratively by the European Parliament and the Council of the European Union. Its primary objective is to elevate cybersecurity standards across the EU by amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 while repealing Directive (EU) 2016/1148.
Who is Affected by NIS2?
The NIS2 Directive casts a wide net, impacting all entities that provide essential or important services to the European economy and society. The affected categories are delineated as follows:
It’s important to note that an entity may still be classified as “essential” or “important,” even if it does not meet size criteria, particularly when it is the sole provider of a critical service for societal or economic activity in a Member State.
Assessing Compliance with NIS2
Organisations can evaluate their compliance with the NIS2 Directive by following a structured approach, like the one designed by Auren:
B) Gap Analysis
D) Control and Continuous Improvement
Consult Auren’s Experts, who will guide you with cybersecurity experts or legal advisors to ensure comprehensive compliance.
Penalties for Non-Compliance
Understanding the potential penalties for non-compliance is crucial for organisations subject to the NIS2 Directive. Penalties may include:
Additionally, there is a set of Criminal Sanctions, namely:
These measures are designed to hold C-level management accountable and prevent gross negligence in managing cyber risks. The specific fines will vary depending on the Member State, but the Directive establishes a minimum list of administrative sanctions for breaches of the cybersecurity risk management and reporting obligations. As the NIS2 Directive becomes fully integrated, organisations that proactively adhere to its principles contribute not only to their cybersecurity resilience but also to the collective strength of the European Union against evolving cyber threats.
Rui Ribeiro from Consulting & Technology, Auren Portugal