EU NIS Directive Receives Update Proposal

The COVID-19 crisis has intensified the threat landscape and introduced new challenges in the context of the already evolving digital transformation of the european society. Service disruptions limited in one service sector may cause cascading effects in other sectors and affect significantly european markets.

On December 6 of 2020, the EU Commission published its proposal for a revision of the Directive on Security of Network and Information Systems (EU NIS Directive). The proposal known as the NIS2 Directive along with its pre-decessor, are a pair of the regulatory initiatives introduced by the EU’s Cybersecurity Strategy for the Digital Decade which is also part of the Strategy regarding technological sovereignty and leadership.

The new proposal focuses on adapting the existing NIS Directive to newly arisen needs and make it capable of governing the future states of digital societies. The following table shows the new additions of the NIS2 proposal in the core domains of the directive:

NIS Directive NIS2 Directive
Basic list of critical services sectors Expanded scope with new sectors based on criticality for the economy and society
Clear size cap inclusion: medium and large companies in selected sectors will be included in the scope
Member States are free to additionally identify smaller entities with a local, high security risk profile
Operators of Essential Services & Digital Service Providers The former distinction is eliminated. Entities are lassified based on their importance, and divided respectively in essential and important categories
Substantial cybersecurity requirements and practices around risk management, incident management & reporting, policies, roles & responsibilities Risk management approach providing a minimum list of basic security elements that have to be applied
More precise provisions on the process for incident reporting, content of the reports and timelines
Substantial supply chain security management based on SLA & risk management Individual companies to address cybersecurity risks in supply chains and supplier relationships
Ex-ante supervision in critical sectors and ex-post supervision for critical digital service providers Stricter supervisory measures
Different supervisory regimes per classification
Stricter enforcement requirements
Strategic guidance for the activities of the CSIRTs network Enhanced role in shaping strategic policy decisions on emerging technologies and increases information sharing and cooperation between Member State authorities
Publication of non-binding guidelines for the EU Members States reagrding NISD implemenation Basic framework with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU
Creation of an EU registry based on the above information operated by the ENISA

Stay tuned for the latest updates on NIS2 Directive and compliance services!

Latest News

Ukrainian NBU BankID System preparing for EU recognition

SpearIT is pleased to announce that has undertaken the preliminary conformity assessment of Ukraine's BankID national electronic identification scheme, ...

Read More

Cypriot National eID becomes notified

SpearIT is pleased to announce that the electronic identification (eID) scheme of Cyprus has now been notified as LoA High...

Read More

Cypriot National eID becomes pre-notified

SpearIT is pleased to announce that the first Cypriot electronic identification (eID) scheme has now been pre-notified in the eIDAS Cooperation Network...

Read More