In May, the European Council and Parliament agreed upon a new Network & Information Systems (NIS) Directive establishing measures to create a high and unified level of cybersecurity across the EU. The initial proposal by the Commission came in December 2020 as a response to the growing rate of digitalisation and cyberattacks on critical infrastructure. However, flaws began emerging with the original 2016 NIS Directive. Many newly digitised sectors are now susceptible to cyber attacks, so require coverage in the directive’s scope. Also, the quality in governance and incident responding vary across EU industries, with many standards not being met.

Therefore the second iteration of the NIS seeks to expand its scope, covering more sectors embracing digitalisation. Organisations covered are now defined as either Essential Services or Important Entities. Essential services covers critical national infrastructure sectors such as energy, healthcare, and transport. Important entities focus on organisations which, if disrupted, may have short term societal or economic effects but won’t result in long term ramifications. This includes sectors such as postal services, digital providers, and the food and beverage sector. 

Analysis of the initial NIS directive’s implementation found governance and incident response standards weren’t being met. NIS2 addresses this by enforcing risk management responsibilities on senior managers. Requiring knowledge of security standards sufficiently to undertake cyber risk management roles, ensuring the cyber risk analysis and resilience standards specified are met in their organisation and third party supply chains.

NIS2 also redefines the “significant impact” of incidents that require responses. Previously defined by the number of affected users, it now focuses on the disruption level to critical and financial services or materials lost. Organisations have also had their response time reduced from 72 to 24 hours of first becoming aware of an incident to produce an initial report, notifying users of potential risks or disturbances, with the further requirement to create a final in depth report within a month.

NIS2 aims to ensure governance and response standards are kept with the implementation of fines and sanctions of up to €10 million or 2% of an organisation’s worldwide annual turnover if the new standards are not met, creating an incentive to keep them upheld. 

These new standards will remove an EU member state’s ability to implement only select sections of the directive, helping to protect many organisations from cyber threats by establishing a standard high common level of cyber resilience within organisations. In an environment where cyber attacks on critical infrastructure are on the rise, an increase in standards will potentially save them the cost of repairs and increase levels of trust between competent organisations.  

However, the changes have not been received well universally. Firstly, the implementation of these new standards require organisations to have good communication between their senior management and chief information security officer (CISO), and that the senior management have sufficient cybersecurity knowledge to undertake roles in risk management.  This could result in organisations requiring structural reform and/or new senior management/training to ensure current individuals are knowledgeable enough to implement the standards. These changes could be costly and time consuming which may be difficult to achieve when given a time constraint to implement the new requirements.

Furthermore, many organisations such as food and beverage distributors which now fall under the scope of NIS2 often have little comprehension of cybersecurity, meaning they will need to quickly gain the proficiency to implement these standards. This puts many organisations in an awkward position as they do not possess the resources or time to dedicate to these changes without incurring massive costs. This has resulted in many medium-sized food suppliers signing a statement calling for exemptions, arguing that their organisations do not meet the “critical” classification NIS2 sets and that the new scope is not proportionate to the risks and produces unnecessary compliance costs.