Understanding and contextualising the NIS2 directive

On the 16th of January 2023, the NIS2 (Network and Information Security) Directive (EU 2022/2555) was adopted by the European Union. The directive comes in a context marked by a resurgence of cybercrime both in forms and numbers. In this sense, it became evident that the previously adopted NIS directive was meeting its limits as that its scope is not sufficiently encompassing.

The member states suffered several cyber incidents, sometimes targeting critical infrastructure. This was exacerbated by the ever-growing and cross-sector digitalisation which also meant the identification of new entry points for cybercrime; A situation which solicited a more comprehensive framework to make EU-based entities more resilient and secure when faced with cybercrime. 

The directive will need to be transposed by Member states into their national laws. The implementation of the directive will be carried out by member states until the 17th of October 2024.

Obligations stemming from the directive

The NIS2 directive intervenes in order to go beyond the narrow scope proposed by the NIS directive and enforces a set of obligations for an array of entities. The entities are categorised under two sectorial groups that are Essential Entities (EE) and Important Entities (IE). The first encompasses sectors such as energy, transport, and health, while the latter encompasses sectors such as manufacturing, digital providers, and postal services. The scoping of the directive also introduces further thresholds, such as a turnover of 50 million euros and the employment of 250 persons for EE, and a turnover of 10 million euros and the employment of 50 persons for IE. The scope of the directive can be amended when transposed by Member States. 

Incident-reporting obligations are a cornerstone of the directive, this aims mainly to increase vigilance and cooperation in essential and critical entities when a cyberattack occurs. Incidents considered significant will need to be reported within 24 hours. The NIS2 directive also stipulates that concerned entities need to have sufficient risk-management measures that include policies, incident handling and business continuity protocols, and training.

The NIS2 thus unifies the obligations for a robust framework of cybersecurity that goes beyond the narrow scope that was offered by the NIS directive. 

The directive’s relevance to Privanova’s work

Privanova’s expertise is centred around data protection, management, and security. Our involvement in R&I projects can indeed result in tools used by essential entities concerned by the directive. Such as medical entities in AI4HEALTHSEC, FACILITATE or the energy sector covered in GLOCALFLEX. Entities are thus expected to comply with the standards stipulated by the directive when implementing such solutions.