NIS2 Regulation: New Cyber Security Standards for European Businesses

NIS2 is designed to strengthen and harmonise cyber security requirements, extend its scope to more industries, and introduce stricter reporting and penalties. This updated framework is crucial for safeguarding critical digital infrastructure in response to the growing threat landscape.

So, what’s changed as of the 17th October 2024?

Expanded Scope

Under the original NIS Directive, only a limited set of essential services, such as energy and water, were required to meet cyber security standards. However, cyber threats have become more widespread, and the range of industries at risk has increased.

NIS2 now covers additional sectors, including telecommunications, public administration, waste management, space technologies, food supply chains, medical device manufacturing, and social media platforms. These industries are vital to the functioning of the digital economy, and their inclusion under NIS2 highlights their critical role in ensuring a secure digital ecosystem.

This expanded scope recognises the interconnected nature of modern business. A cyber-attack on one sector can quickly spread to others, disrupting services on a large scale. By broadening its reach, NIS2 ensures more sectors are held to high cyber security standards, thereby reducing vulnerabilities across the board.

Harmonised Security Requirements

Another key improvement under NIS2 is the harmonisation of security requirements across the EU. Previously, member states had flexibility in how they implemented cyber security measures, leading to inconsistent protection across countries. NIS2 introduces more uniform security measures and governance requirements.

These harmonised standards cover key areas such as supply chain security, risk management, and consistent supervision. By establishing a common framework across all member states, NIS2 ensures that organisations are better prepared to face cyber threats, no matter where they operate. This helps improve overall resilience against cyber-attacks, providing stronger, more consistent defences.

Stricter Incident Reporting

NIS2 also introduces stricter incident reporting requirements. Organisations are now required to notify relevant authorities within 24 hours of becoming aware of a significant cyber threat or attack. This quick reporting is crucial to enable timely response and coordination.

Under the previous directive, there was no consistent mandate for timely reporting, which often delayed responses to cyber incidents. By requiring organisations to report incidents within 24 hours, NIS2 ensures faster communication and response, minimising the impact of attacks. This is especially important in the face of increasingly sophisticated threats that can escalate quickly.

Stronger Enforcement and Penalties

A key aspect of NIS2 is the introduction of stronger enforcement mechanisms and tougher penalties for non-compliance. Organisations that fail to meet required cyber security standards can now face fines of up to €10 million or 2% of their global turnover, whichever is higher. These penalties are significantly higher than those in the original directive.

The increased penalties are designed to ensure organisations take their cyber security obligations seriously. In the past, cyber security has often been overlooked or underfunded, but the financial risks posed by these new penalties are meant to encourage businesses to prioritise their cyber security efforts.

Enhanced Cross-Border Collaboration

NIS2 also promotes better cooperation between EU member states, enhancing collaboration across borders to strengthen Europe’s collective cyber defences. This is achieved by improving coordination between Computer Security Incident Response Teams (CSIRTs) and other relevant bodies.

Cyber threats are often global, and this focus on collaboration is crucial in enabling the EU to respond to attacks more effectively. By encouraging member states to share information and coordinate responses, NIS2 fosters a unified approach to defending against cyber threats, enhancing Europe’s overall cyber resilience.

Focus on Supply Chain Security

Finally, NIS2 places significant emphasis on supply chain security. This has long been considered the “soft underbelly” of cyber defences, with attackers frequently exploiting vulnerabilities in third-party vendors or service providers to infiltrate larger organisations.

The updated directive obliges companies to manage the risks posed by their suppliers and service providers, ensuring that they have conducted proper due diligence to prevent weaknesses in their supply chains from being exploited. With the rise of supply chain attacks, this focus is crucial for reducing risks across the entire digital ecosystem.

Conclusion

The NIS2 regulation is a much-needed update to the EU’s cyber security framework, designed to address the rapidly evolving cyber threat landscape.

For organisations operating in the EU, the directive brings increased obligations but also presents an opportunity to build stronger cyber defences. With a particular emphasis on supply chain security, cross-border collaboration, and timely incident reporting, NIS2 aims to create a more resilient digital infrastructure across Europe.

As cyber threats continue to grow in sophistication, NIS2 will play a key role in ensuring that Europe remains protected against the challenges of the digital age.

Author: Paul Rose, Chief Executive Security Officer - Cyro Cyber  

Is your business ready for NIS2?

Our Guardians are here to help make sure that you are. Get in touch today.