16.01.2023 IT Europe Farvest decrypt IT Legal

Introduction of the NIS 2 Directive

Writer Samira Joineau
nis 2 directive 2023

Last December 27, the NIS 2 Directive was officially published in the Official Journal of the European Union. Entering into force today, this new Directive presents as an update of the initial NIS Directive, published back in 2016. What does it change?

Introduced back in 2016, the NIS Directive set legal measures for a high common level of cybersecurity across the European Union (EU). It hence participated in boosting the overall level of cybersecurity within the EU. The NIS Directive has now been replaced by an updated version: the NIS 2 Directive. The latter aims at modernizing and updating the existing legal framework, so as to keep pace with the digitization growth and the evolving cybersecurity threat landscape. 

The NIS 2 Directive expands the scope of the sectors and types of critical entities. The latter regard providers of public electronic communications networks and services, data center services, wastewater and waste management, manufacturing of critical products, postal and courier services and public administration entities, including the healthcare sector. 

In other words, this new Directive has the objective of strengthening the cybersecurity risk management requirements that businesses must comply with, on top of streamlining incident reporting obligations with more specific provisions on reporting, content and timeline. 

This means then that every Member State is to define and adopt “a national cybersecurity strategy which provides for the strategic objectives, the resources required to achieve those objectives, and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity” (Article 7, NIS 2 Directive: National cybersecurity strategy). 

This national cybersecurity strategy shall encompass for instance relevant stakeholders, relevant assets, the promotion of the development and integration of relevant advanced technologies, the management of vulnerabilities, among others. And these points regarding both objectives and priorities have to show through the different policies adopted accordingly. 

Overall, the NIS 2 Directive has been updated to provide legal measures in order to boost the level of cybersecurity within the EU by ensuring: 

  • ensuring Member States’ preparedness, by requiring them to be appropriately equipped with, for instance, a Computer Security Incident Response Team (CSIRT) or a competent National framework and Information Systems (NIS) authority
  • cooperation among Member States, through a Cooperation Group aiming at supporting and easing strategic cooperation and the exchange of information among Member States
  • a culture of security across sectors that are vital for our economy and society, which heavily rely on ICTs – such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure

From now on, Member States have 21 months to convert the NIS 2 Directive’s requirements into their respective national legal framework. This seems to come hand to hand with the European Declaration on Digital Rights and Principles and the Digital Decade policy programintroduced last week