Search

NIS2 Directive: what is it, how to prepare, and which sectors are included?

On May 13, 2022,  the European Parliament and the Council provisionally agreed on the NIS2 Directive, fortifying a high common level of cybersecurity across the European Union. On November 28, the final text was approved in Council. The directive will be published in the Official Journal of the European Union in the coming days and will enter into force on the twentieth day following this publication. Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law. 

NIS2 Directive: what is the purpose?

The NIS2 Directive responds to Europe's increased exposure to cyber threats by improving the public and private sectors' resilience and incident response capacities and the European Union as a whole. According to the European Council's press release, the revised directive aims to remove divergences in cybersecurity requirements and in the implementation of cybersecurity measures in different member states, as the NIS directive implementation proved to be difficult, resulting in fragmentation at various levels across the internal market.

To achieve this, NIS 2 directive sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state.

NIS2: what's new?

The NIS 2 directive enlarges its scope and forces more industry verticals to strengthen their cybersecurity risk and incident management measures. The adapted directive introduces more draconian supervisory measures for national authorities, harmonizes sanctions regimes, and improves and stimulates information sharing and participation in cyber crisis management across the member states of the European Union.

A quote from MEP Bart Groothuis proves the need for this adaptation: "Ransomware and other cyber threats have preyed on Europe for far too long. We need to act to make our businesses, governments, and society more resilient to hostile cyber operations. This European directive is going to help around 160,000 entities tighten their grip on security and make Europe a safe place to live and work. It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale," he said.

NIS2 Directive: what's the status of the law?

On November 10, 2022, the MEPs adopted the text with 577 votes to 6, with 31 abstentions. Now that the Parliament vote is completed and approved, the Council has to formally adopt the law before it is published in the EU's Official Journal.

Member States will have 21 months to transpose NIS2 into national law. The deadline for Member States to transpose the NIS2 Directive into applicable, national law is 17 October 2024.

Organizations should review the scope of NIS2 and whether their businesses fall within that scope. If an organization concludes that it is likely to fall within the scope of the new legislation, the organization should consider the organizational, financial, and technical steps that will be required to prepare for complying with NIS2.

NIS2 Directive: which sectors are in scope?

The following sectors will be included:

  • Energy (electricity, oil, gas, district heating, and hydrogen)
  • Transport (air, rail, water, and road)
  • Banking, Financial market infrastructures, healthcare (including labs and research on pharmaceuticals and medical devices),
  • Drinking water, Wastewater (but only if it is the main activity),
  • Digital Infrastructures (Telecom, DNS, TLD, data centers, trust services, cloud services)

 

  • Digital services (search engines, online markets, social networks),
  • Space,
  • Postal and courier services,
  • Waste management,
  • Chemicals (production and distribution),
  • Food (Production, processing, and distribution)
  • Manufacturing (specifically, but not limited to, medical, computer, and transport equipment)

How can Orange Cyberdefense help you to comply with the NIS2 Directive?

The Orange Cyberdefense audit and business consulting division can help organizations with its NIS 2 directive road to compliance. We can determine whether you must comply, craft a business case, set up your tailored roadmap, and help you implement the necessary measures.

Depending on the state of your organization's security maturity, the below-mentioned topics are key focus points for improvement:

  • Budgeting cybersecurity roadmap and program (ISO27001 adoption)
  • Implementing a security awareness program
  • Optimizing your cyber incident management
  • Focus on improving your organization's overall technical security posture (network, access control…)

Working on these topics will enhance your cybersecurity resilience and ensure NIS2 directive complian

The Farys water utility company complies with NIS regulations and protects the OT network

What did Farys do exactly to comply with the NIS Directive? 

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.