The intense uptake of digital solutions and innovative technologies over the past four years has changed the way we socialise, work, shop, bank, and receive necessary services, such as health. As sectors and services increasingly become interconnected and interdependent, the cybersecurity threat landscape continues to grow in sophistication and focus.
Safeguarding critical infrastructures and services is paramount to protect society and economies from these actors. In response, EU lawmakers have introduced several interconnected EU-wide laws to improve the digital and operational resilience of the sectors and services we rely on most.
The second Network and Information Systems Directive (Directive (EU) 2022/2555 (‘NIS2’) is one of these EU-wide laws. It comes into effect on 18 October 2024 and will have a compliance impact on many public and private sector organisations, across 18 sectors, similar to that experienced under the GDPR. The regulatory supervision and enforcement measures under NIS2 bear similarities to the GDPR. However, direct accountability and liability for upper management and possible suspension of CEO duties, brings this squarely into the board room.
NIS2 is an evolution from its predecessor NIS-D, extending the legislative scope to capture entities in a number of additional sectors and sub-sectors, including public bodies and a wider range of digital service providers, as well as covered entities’ ICT supply chains.