NIS 2: The European Law on Cybersecurity

Published on 31 August 2024
Updated on 31 August 2024
2 min read
cyber
NIS 2: The European Law on Cybersecurity

NIS 2 - Network and Information Security 2 - directive is new legislation that replaces the current NIS. This European Law is considered very ambitious, because it is the first of its kind to try to harmonized how member states handle cybersecurity. It will be enforced once it is transposed into national laws by all member states no later than September 2024.

What makes NIS 2 different than NIS ?

Companies under the scope of NIS 2 directive will be required to submit an initial report within 24 hours of the occurrence of an incident. A second report must also be submitted within 1 month with more detailed information about the incident.

Similar to GDPR, fines can go up to 2% of turnover worldwide or 10 million Euros whichever is higher.

This new law tries to achieve a common level of cybersecurity in Europe. The current NIS is not large enough to include essential sectors, and is not specific enough to set common rules for European countries. According to the European Parliament Briefing, NIS 2 has three objectives, mainly:

  • Make sure important entities in the EU take adequate cybersecurity measures
  • Standardize implementations across the EU by defining 7 requirements that must be addresses including incident response, supply chain security, encryption and vulnerability disclosure.
  • Increase trust and collaboration between member states by establishing an EU Crisis Management Framework.

NIS 2 distinguishes two entity types that will be part of the scope: Operator of Essential Services (OES) and Digital Service Provider (DSP). These entities operates in sectors that are considered essential or important including energy, transport, banking, financial market, health, drinking water, wastewater, digital infrastructure, public administration, telecom, and space. These entities will be required to pay special attention to cybersecurity. They must notify when an incident happen within 24 hours, implement risk management, conduct regular audits, and assess the supply chain used to acquire products and services.

The European Cybersecurity Agency, ENSIA, will have increased responsibilities and will submit every two years a report on the state of cybersecurity in the EU. It will implement a coordinated risk assessment per critical ICT sector. Member states will require essential and important entities to certify specific ICT products.

Related Posts

Cryptography: From Then To Now

6 min read

The fascinating history and evolution of cryptography.

cyber

DNS Security Best Practices

3 min read

The Domain Name System is under the radar.

cyber

Guide to Running Effective Honeypots

4 min read

Know your enemy.

cyber
© 2024 Taoufik Znibae. All rights reserved.
Based on a template by Matheus Fantinel. Powered by SvelteKit. Icons by Iconoir.