Network and Information Security Directive 2 (NIS2)

Description

The Network and Information Systems Directive 2 (NIS2) is a significant European Union cybersecurity regulation introduced to bolster the continent’s digital resilience and security in an increasingly interconnected world. Building upon the foundation of the original NIS Directive, NIS2 sets out a comprehensive framework to address emerging cyber threats and strengthen the cybersecurity posture of critical infrastructure and essential service providers.

One of the key objectives of NIS2 is to expand the scope of entities covered by the directive. While the original directive primarily focused on sectors such as energy, transportation, banking, and healthcare, NIS2 broadens its reach to include additional sectors and digital service providers. This means that a wider range of organizations will be subject to stringent cybersecurity obligations, ensuring that critical infrastructure and vital services across various domains are adequately protected against cyberattacks.

NIS2 places a strong emphasis on enhancing incident detection and response capabilities. Organizations under its purview are required to implement robust cybersecurity measures, including risk management, incident reporting, and incident response plans. Additionally, the directive encourages information sharing and cooperation among EU member states to facilitate a coordinated response to cross-border cyber threats. By fostering a collaborative approach and mandating cybersecurity best practices, NIS2 aims to fortify Europe’s cybersecurity defenses and safeguard its critical infrastructure and digital services from evolving cyber risks.

The measures shall be based on an “”all-hazards approach”” that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include “”at least”” the following:
(a) policies on risk analysis and information system security;
(b) incident handling;
(c) business continuity, such as backup management and disaster recovery, and crisis management;
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
(g) basic cyber hygiene practices and cybersecurity training;
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) human resources security, access control policies and asset management;
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.