1. NIS2 Updates NIS1, Setting EU-Wide Cybersecurity Rules#

The NIS2 Directive (Network and Information Systems 2) is a major revision of the original NIS1 Directive (adopted in 2016), designed to strengthen cybersecurity across the European Union. While NIS1 allowed member states significant flexibility in implementing cybersecurity measures, NIS2 establishes more harmonized and stringent EU-wide rules. It introduces minimum common standards for risk management, incident reporting, and cross-border cooperation. The directive also enhances oversight and enforcement, including fines for non-compliance, to ensure a consistent and robust cybersecurity posture across the EU.

Sectors Covered Under NIS1 (2016)#

The original NIS1 Directive focused on seven critical sectors:

  • Energy (electricity, oil, gas)
  • Transport (air, rail, water, road)
  • Banking
  • Financial market infrastructures
  • Health (healthcare providers, hospitals)
  • Drinking water supply and distribution
  • Digital infrastructure (DNS, TLD registries, IXPs, key internet service providers)

Additional Sectors Added Under NIS2#

NIS2 significantly expands the scope to include:

  • Public electronic communications networks and services
  • Digital services (online marketplaces, online search engines, social networking services, cloud computing services)
  • Public administration (central and regional)
  • Space sector
  • Postal and courier services
  • Waste management (waste and wastewater management)
  • Manufacturing of critical products (e.g., medical devices, pharmaceuticals)
  • Food production, processing, and distribution
  • Research (entities carrying out research and development activities for medicinal products)

Key Differences#

!Image Description#

Why the Expansion?#

The EU recognized that cyber threats have evolved, and disruptions in sectors like food, space, or public administration can have cascading effects on society and the economy. NIS2 aims to increase resilience, improve cooperation, and ensure a uniform response across the EU

2. Mandatory Cybersecurity Rules for Essential Sectors#

NIS2 expands and formalizes legal obligations for entities operating in essential sectors (such as energy, transport, healthcare, and digital infrastructure) and digital service providers (such as online marketplaces, search engines, and cloud services). Unlike NIS1, which primarily targeted operators of essential services, NIS2 imposes binding rules on a broader range of entities, including medium and large enterprises in these sectors.

Under NIS2, organizations must:

  • Identify and assess cybersecurity risks specific to their operations.
  • Implement technical and organizational measures to mitigate these risks (e.g., encryption, access management, regular backups).
  • Report major incidents to competent authorities within strict deadlines (often within 24 hours for an initial alert).

3. Expanded Scope to Include New Sectors and Digital Service Providers#

NIS2 significantly broadens the scope of the original directive by including sectors and entities that were not covered under NIS1. Key additions include:

  • Public administration (both central and local): To secure critical public services.
  • Postal and logistics services: To protect physical and digital supply chains.
  • Food production and distribution: To prevent disruptions in a vital sector.
  • Digital service providers (e.g., online marketplaces, social networks, and communication services): To enhance the security of platforms used by millions of Europeans.
  • Manufacturers of medical devices and pharmaceuticals: To secure healthcare supply chains.

This expansion reflects the growing interdependence between physical and digital infrastructures and the need to protect sectors previously considered less critical.

4. Obligation to Implement Suitable Cybersecurity Measures#

NIS2 requires key entities (referred to as “essential” or “important” entities) to adopt proportionate and tailored measures to manage cybersecurity risks. These measures must be based on a risk assessment specific to each organization and may include:

  • System and network protection (firewalls, intrusion detection, regular updates).
  • Access and identity management (multi-factor authentication, least privilege principles).
  • Business continuity and incident recovery (backup plans, offline backups).
  • Employee awareness and training (phishing simulations, best practices).
  • Supply chain security (assessing risks from vendors and subcontractors).

Member states are responsible for supervising and auditing these measures, with financial penalties for non-compliance (up to 2% of global turnover for large enterprises).

5. Stricter Requirements for Risk Management, Incident Reporting, and Supply Chain Security#

NIS2 introduces tighter requirements compared to NIS1 in several key areas:

  • Risk management: Entities must document and regularly update their risk assessments, accounting for emerging threats (e.g., ransomware, supply chain attacks).
  • Incident reporting:
    • Shorter deadlines: Major incidents must be reported within 24 hours (initial alert), with a detailed report within 72 hours.
    • Increased transparency: National authorities must share incident information with the EU Agency for Cybersecurity (ENISA) and other member states.
  • Supply chain security:
    • Companies must assess cyber risks related to suppliers and partners and include security clauses in contracts.
    • Critical service providers (e.g., data centers, cloud operators) are subject to regular audits.

Why These Changes?#

The goal of NIS2 is to address the evolving cyber threat landscape (increasing attacks, sophisticated cybercriminals, and growing digital dependence) and fill the gaps in NIS1, such as:

  • Inconsistent rules across member states.
  • Lack of coverage for emerging critical sectors.
  • Insufficient penalties for negligent organizations.

By strengthening cross-border cooperation and enforcing common standards, NIS2 aims to create a more resilient digital ecosystem in Europe.