The COVID-19 crisis has intensified the threat landscape and introduced new challenges in the context of the already evolving digital transformation of the european society. Service disruptions limited in one service sector may cause cascading effects in other sectors and affect significantly european markets.
On December 6 of 2020, the EU Commission published its proposal for a revision of the Directive on Security of Network and Information Systems (EU NIS Directive). The proposal known as the NIS2 Directive along with its pre-decessor, are a pair of the regulatory initiatives introduced by the EU’s Cybersecurity Strategy for the Digital Decade which is also part of the Strategy regarding technological sovereignty and leadership.
The new proposal focuses on adapting the existing NIS Directive to newly arisen needs and make it capable of governing the future states of digital societies. The following table shows the new additions of the NIS2 proposal in the core domains of the directive:
| NIS Directive | NIS2 Directive |
|---|---|
| SCOPE | |
| Basic list of critical services sectors | Expanded scope with new sectors based on criticality for the economy and society |
| Clear size cap inclusion: medium and large companies in selected sectors will be included in the scope | |
| Member States are free to additionally identify smaller entities with a local, high security risk profile | |
| CLASSIFICATION | |
| Operators of Essential Services & Digital Service Providers | The former distinction is eliminated. Entities are lassified based on their importance, and divided respectively in essential and important categories |
| SECURITY REQUIREMENTS FOR COMPANIES | |
| Substantial cybersecurity requirements and practices around risk management, incident management & reporting, policies, roles & responsibilities | Risk management approach providing a minimum list of basic security elements that have to be applied |
| More precise provisions on the process for incident reporting, content of the reports and timelines | |
| SUPPLY CHAIN SECURIY | |
| Substantial supply chain security management based on SLA & risk management | Individual companies to address cybersecurity risks in supply chains and supplier relationships |
| SUPERVISORY NATIONAL AUTHORITIES | |
| Ex-ante supervision in critical sectors and ex-post supervision for critical digital service providers | Stricter supervisory measures |
| Different supervisory regimes per classification | |
| Stricter enforcement requirements | |
| COOPERATION NETWORK | |
| Strategic guidance for the activities of the CSIRTs network | Enhanced role in shaping strategic policy decisions on emerging technologies and increases information sharing and cooperation between Member State authorities |
| Publication of non-binding guidelines for the EU Members States reagrding NISD implemenation | Basic framework with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU |
| Creation of an EU registry based on the above information operated by the ENISA | |
Stay tuned for the latest updates on NIS2 Directive and compliance services!
