Cybersecurity Information

NIS vs NIS2: Analysing the Differences and Implications for Critical Sectors

Jul 18, 2024

3 min

The evolution and sheer number of cyber threats in recent years triggered an overhaul of the European Union's approach to cybersecurity, leading to the introduction of the NIS2 Directive. Building on the foundation laid by the original Network and Information Systems (NIS) Directive adopted on July 6, 2016, NIS2 addresses cybersecurity challenges facing critical infrastructures across the EU. Find out what are the differences between the two directives and the implications of the new laws.

Comparison of NIS and NIS2 Directives

The transition from NIS to NIS2 marks a significant evolution in the EU's cybersecurity framework, here are the major differences between the two directives.

Scope and Applicability

The original NIS Directive focused primarily on critical information infrastructures and digital service providers, aiming to establish a baseline level of security across member states. Its primary goal was to enhance the overall resilience and security of network and information systems within the EU.

In contrast, NIS2 broadens this scope significantly. It not only redefines what critical infrastructure is by including sectors reliable on data infrastructure but also extends its reach to encompass more types of entities, including all medium and large companies in selected sectors. This expansion reflects the growing recognition of the diverse sources from which cybersecurity threats can emerge.

Security Obligations and Requirements

Under the NIS Directive, entities were required to take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems. They also needed to report major incidents that had a significant impact on service continuity.

NIS2 takes these requirements further by introducing more strict and detailed security and incident response measures. It mandates companies to implement risk management practices (such as supply chain security), incident handling, and business continuity management. These updates are designed to ensure that organizations not only prevent but also respond effectively to cyber incidents, reflecting a shift from a purely preventive approach to a more proactive risk management framework.

Monitoring and Enforcement

The monitoring and enforcement mechanisms under NIS were basically a foundation, setting up a cooperation group and a network of Computer Security Incident Response Teams (CSIRTs) to enable coordination among EU states. However, this type of enforcement was somewhat limited, relying heavily on member states' willingness and capacity to implement the directive effectively.

NIS2 strengthens these aspects by establishing stricter supervisory measures, enhanced auditing capabilities, and greater enforcement powers for national authorities. It also includes permissions for more significant penalties for non-compliance to ensure cybersecurity standards across the EU.

Implications for Critical Sectors

The transition from NIS to NIS2 significantly changes the regulations for critical sectors such as energy, transport, finance, and healthcare. Each of these sectors faces unique challenges and requirements under the new directive:

Energy and Transport: These sectors must enhance their cybersecurity measures to protect against the increasing sophistication of cyber-attacks that can disrupt supply and distribution networks. NIS2 mandates stricter security protocols for systems controlling electrical grids and public transportation networks.
Finance: Financial institutions are required to implement advanced security measures to safeguard against data breaches that could compromise customer data or financial stability. NIS2 emphasizes the importance of continuous monitoring and immediate incident response to maintain trust and integrity in financial markets.
Healthcare: Under NIS2, healthcare providers need to secure personal data against breaches more rigorously, especially in light of recent cyber-attacks targeting patient information. The directive also stresses the importance of ensuring the continuity of medical services, which are critical in emergency situations.

By expanding the directive's scope, enhancing security requirements, and strengthening incident reporting and enforcement measures, NIS2 aims to improve the resilience and security of the European Union's critical infrastructure. As organisations adapt to these changes, the directive's full impact will become increasingly apparent, setting a standard for other regions to follow.

Table of contents