Sunlight shines over buildings and people in street

What is the NIS2 Directive and how will it impact your organization?

The EU has passed the NIS2 Directive to ensure a minimum level of cybersecurity across EU member states.

In Brief

  • The EU has approved the NIS2 Directive, in a bid to strengthen its resilience to cyber-attacks across the EU.
  • Organizations should determine whether they fall under the NIS2 Directive's scope and begin to take the initial necessary steps to meet the security standards.

Every morning, we wake up and perhaps take a shower, have a cup of coffee, brush our teeth, and then jump into a train or a car to go to work. This is routine which -almost always- goes smoothly. However, in those rare instances where something goes wrong (i.e., when public transport isn’t working, our heating doesn’t work, the gas stations are closed…), it significantly disrupts our day. Both as individuals and as a society, we are fully dependent on basic amenities such as supply of water, power, petrol, or digital infrastructure. Imagine that the network is down for an entire day – it may be annoying to be unable to make phone calls but, it’s safe to assume that, as individuals, we would manage. However, if we take this same scenario from a broader, societal, standpoint, and imagine that an entire nation cannot communicate for a day, this would undoubtably result in massive monetary and emotional losses. While this may seem like a trivial way to view our complete dependency on our critical infrastructure, it serves to put things into perspective in a relatable way.

The critical infrastructure of a nation is at the heart of every society. Critical infrastructure embodies the processes and technology that keep societies functioning: the heat we need in winter, the water we drink, our electricity, our means of transportation… However, it is precisely this dependence we have on our critical infrastructure that makes it an attractive target for malicious actors: if attackers hit societies where it hurts the most, the likelihood of governments, institutions and organizations meeting the attackers’ demands - however large they may be - will inevitably be higher. 

Several factors are contributing to an increase of cyber-attacks on critical infrastructure worldwide, with two causes that stand out: The magnifying geopolitical turbulences and the technological developments at the reach of malicious actors. As a result, countries are becoming ever more vulnerable and exposed to attacks that could potentially bring societies to a halt. Imagine, for instance, a large-scale attack on a country’s power grid leaving hospitals, homes, banks, or communication networks without electricity. Unfortunately, this would not be the first case of a widespread blackout caused by a cyberattack, and it seems safe to assume that it will not be the last.

It is in this context that the EU has continuously taken action to strengthen the cybersecurity requirements imposed on critical infrastructure across all Member States. In 2016, the European Parliament approved the first piece of EU-wide cybersecurity legislation with the goal to enhance cybersecurity across the EU: the Directive on Security of Network and Information Systems (NIS Directive). Despite achieving significant improvements in cybersecurity risk management processes among critical infrastructure across the EU, the NIS Directive had some drawbacks, such as an insufficient scope in terms of the sectors it covered, or the unequal security measures that were demanded to the companies when the Directive was transposed into the national legislation of each country. In the light of these shortcomings, the European Parliament has recently approved the Directive on Measures for a High Common Level of Cybersecurity Across the Union (NIS2 Directive) on the 10th of November 2022, which will repeal the current NIS Directive, amending the requirements on the security of network and information systems and increasing the overall level of cyber resilience required of critical public and private sectors.

The purpose of the NIS2 Directive is to further strengthen the resilience and incident response capacities of the private and public critical sectors, as well as the EU as a whole. To this end, the NIS2 Directive:

  • Broadens the scope of the sectors covered by the directive from seven to eighteen critical industries
  • Introduces new cybersecurity risk and incident management requirements
  • Intensifies the supervisory regime 
  • Strengthens penalties for organizations failing to comply with the requirements
  • Introduces accountability of top management for non-compliance with cybersecurity obligations
  • Includes stricter reporting requirements in the case of a cybersecurity incident
  • Aims at harmonizing cybersecurity requirements and sanction regimes across EU Member States

As Thomas Reid famously wrote in 1786, “A chain is no stronger than its weakest link”. The vulnerabilities of one single critical organization are enough to threaten a whole society, even if the rest of the critical entities are mature in their cybersecurity risk management. This is why, with the above listed amendments, the NIS2 Directive aims at achieving a minimum level of cybersecurity across the EU. A harmonized stance towards cybersecurity will reduce the likelihood and the impact of attacks, thus lessening the threat of societies suffering the frightening consequences of a large-scale cyber-attack on its critical infrastructure.

So, how can your organization play its part in strengthening the EU’s cybersecurity posture? What requirements does the NIS2 Directive establish to ensure that you as an organization meet the minimum security standards? We will dive deeper into this topic in upcoming articles as it is key for companies to begin to take the first steps to ensure they are prepared to face and fulfil NIS2 regulatory requirements. It is our recommendation to begin by understanding whether your organization is indeed within the scope of the legislation. This may not be as straightforward as it seems. Let us take an example: in NIS2, the food production industry is listed as a critical sector; however, what must be considered is that the category of food comprehends several industries such as drinks, chewing gum, or any substances that are used for the elaboration of food. This means, for instance, that a producer of beverages or beer will be considered critical and hence must comply with the regulation. It is our recommendation that you take time to fully understand whether you fall under the scope of NIS2, and if so, in what capacity. If in doubt, we recommend you reach out to an external advisor to help you clarify this concern. At EY we have already supported many organizations in taking this first step in their journey towards NIS2 compliance, and are excited to continue building our clients’ cybersecurity capabilities to ensure they are ready to fulfil all NIS2 requirements when the Danish legislation enters into force.

Summary

The EU has approved the NIS2 Directive, in a bid to strengthen its resilience to cyber-attacks across the EU. The directive broadens the sectors covered from seven to 18 critical industries, introduces new cybersecurity risk and incident management requirements, strengthens incident reporting requirements, intensifies the supervisory and penalty regime, and includes accountability of top management for non-compliance, stricter reporting requirements. Accordingly, EY urges all EU organizations to assess whether their organization is within the scope of the legislation, as this will give companies enough time to adjust or adopt new measures to ensure compliance with NIS2 before it enters into force.

About this article