Cyberday.ai
Get started
Login
Topics
ISO 27001
NIS2
Getting started
Framework management
Product security
Settings & advanced
Trial and subscription
User management
Community
Documentation
Personnel guidelines
Reporting
Task management
GDPR
Internal auditing
Personnel security
Risk management
Working as a partner
Continuous improvement
Team collaboration
Show all topics
Webinars
May's monthly review for Cyberday admins (5/2024)
Show all webinars
Videos
Asset documentation
Continuously improving your ISMS
Cyberday overall intro
ISO 27001 and certification audit fundamentals
ISO 27001 and personnel awareness
ISO 27001 and risk management
ISO 27001 introduction
NIS2 introduction
Show all videos
Helps
Documentation
For admins
For partners
Frameworks
Guideline mgmt
Other features
Reporting
Setup and integrations
Task mgmt
User management
Show all helps
Blogs
6 ways to assess security work effectiveness
Access Control & MFA (NIS2 21.2): Build A Solid Foundation with ISO 27001 Best Practices
Understanding HR Security Basics for ISO 27001 & NIS2 Compliance
Build your NIS2 measures for Business Continuity and Backups with ISO 27001
Best Practices from ISO 27001 for Secure System Acquisition and Development: Create your NIS2 measures
Show all blogs
Content library
Kiitos! Saat jatkossa uutiskirjeen sähköpostiisi joka perjantai.
Valitettavasti jotain meni pieleen. Voit olla yhteydessä tiimi@tietosuojamalli.fi.
Kiitos! Saat jatkossa uutiskirjeen sähköpostiisi joka perjantai.
Valitettavasti jotain meni pieleen. Voit olla yhteydessä tiimi@tietosuojamalli.fi.
Academy home
Blogs
NIS2: Get familiar with the EU's new cyber security directive (part 1/3)

NIS2: Get familiar with the EU's new cyber security directive (part 1/3)

In this blog, you'll learn about the background and the reasons behind the EU's new Network and Information Security 2 (NIS2) Directive. This is the first part of a three-part blog series. You'll get the best overall picture about the directive and how your organization should react to it, by reading all the three parts.

Related blog: Part 2 - NIS2 scope and main security requirements

Related blog: Part 3 - Get NIS2 compliant with Cyberday

Original NIS Directive and its replacement

The original Network and Information Security (NIS) Directive, which was published back in 2016, was a significant milestone for the cyber security of the European Union. It became the first EU-wide legislation dedicated to tackling the threats to cyber security. The primary goal was to ensure a consistent and high level of cyber security across relevant industries in all Member States.

While the directive did succeed in enhancing cyber security, it encountered also challenges during its implementation process. These obstacles ultimately led to variations in the level of cyber security readiness among the Member States. It became clear that establishing a unified and resilient cyber security landscape throughout the EU required additional efforts.

In response to the challenges in original NIS Directive and the increased cyber threats brought by digitalisation and cybercrime growth, the European Commission is replacing the NIS Directive. The new proposal, the NIS2 Directive, aims to tackle the challenges of the original NIS by investing more in the following aspects:

  • clearer and more comprehensive security requirements for related organizations
  • addressing also the security of supply chains
  • simplifying reporting guidelines
  • introducing more extensive enforcement methods

What sectors did the original version cover?

The NIS Directive applies to two different categories of organisations: operators of essential services (OESs) and digital service providers (DSPs).

OES refers to organisations that provide services defined critical for the functioning of the economy and society as a whole. This includes critical infrastructure sectors such as water, transportation, and energy, as well as services like healthcare and digital infrastructure.

Security measures of OESs, ENISA

DSPs are organisations that offer specific types of digital services, mostly online search engines, online marketplaces, and cloud computing services.

To qualify as an DSP, an organisation must provide one or more of these services and fall within the category of a medium-sized enterprise.

There is a general exemption for small businesses in the digital services sector. If an organisation has less than 50 employees and a turnover below €10 million, they are not considered an DSP and therefore, NIS2 does not apply to them. However, if the organisation is a part of a bigger group, they must evaluate the staff and turnover of the entire group.

Security measures of DSPs, ENISA

We will cover NIS2 scope and security requirements in more detail in this series' next posts.

Related blog: Part 2 - NIS2 scope and main security requirements

Related blog: Part 3 - Get NIS2 compliant with Cyberday

Why did the NIS Directive fail to establish a high level of cyber security?

Implementation

The implementation of the directive varied among the Member States. Each Member State applied the Directive differently which led to inconsistencies between the Member States' cyber security levels. The lack of consistency weakened the the impact of the directive.

Level of readiness

Different Member States had varying levels of readiness for the Directive. Some Member States already had a consistent and strong cyber security measures and others had a lot of work left. The differences in the starting point resulted to differences in achieving a high level of cyber security.

Defining OESs

Member States had to decide which organisations would be defined as OESs. This proved to be a difficult process due to the complexity of sectors. This furthermore increased the differences in the level of cyber security between Member States.

Reporting requirements

The Directive gave Member States too much control over the requirements of cyber security incident reporting.

Insufficient scope

One of the first reactions to the NIS Directive was that it was not covering all sectors providing key services to economy and society.

How will NIS2 fix the inconsistencies?

Even though mostly based on the original NIS Directive, some big changes will come with the NIS2. The NIS2 Directive introduces a set of enhanced security requirements. The flexibility to customise compliance with these requirements was removed, because the original NIS allowed vulnerabilities due to the excessive flexibility. NIS2 ensures that there is no room for such vulnerabilities, as it clearly outlines the rules that everyone must follow.

NIS2 requires e.g. the following security themes to be well organized in related organizations:

- Information security risk management

- Incident detection, management and reporting

- Cyber security training

- Business continuity planning / crisis management

- Supply chain security

- Data encryption

Read more about these themes and the scope of NIS2 in the second part: NIS2 scope and main security requirements

Questions and feedback

Do you have any further questions, would need another help article or would like to give some feedback? Please contact our team via team@cyberday.ai or the chat box in the right lower corner.

Written by
Matti Lindfors
1.8.2023
@
LinkedIn

Content

Share article

Other similar content from Academy

Blogs

6 ways to assess security work effectiveness

Evaluating the effectiveness of your cybersecurity involves examining the adequacy of your existing security measures. This process helps you identify your current security status and determine the necessary actions to enhance and fortify.
3.5.2024

Best Practices from ISO 27001 for Secure System Acquisition and Development: Create your NIS2 measures

Get tips on securely acquiring and developing systems with a focus on ISO 27001, helping meet NIS2 requirements. Post explains key aspects like secure coding, acquiring secure applications and testing or publishing changes in a controlled manner.
16.4.2024

Build your NIS2 measures for Business Continuity and Backups with ISO 27001

This post offers insight on complying with NIS2's continuity and backup requirements using ISO 27001's best practices. It guides you through continuity planning, backup processes, challenges, and achieving compliance effectively.
12.4.2024

Subscribe to Academy today

Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.

Kiitos! Saat jatkossa uutiskirjeen sähköpostiisi joka perjantai.
Valitettavasti jotain meni pieleen. Voit olla yhteydessä tiimi@tietosuojamalli.fi.
Topics
Reporting
Personnel guidelines
Settings & advanced
NIS2
Personnel security
Show all
Webinars
May's monthly review for Cyberday admins (5/2024)
Show all
Videos
ISO 27001 introduction
NIS2 introduction
ISO 27001 and certification audit fundamentals
Asset documentation
ISO 27001 and personnel awareness
Show all
Helps
Documentation
For partners
Other features
Reporting
Guideline mgmt
Show all
Blogs
6 ways to assess security work effectiveness
Access Control & MFA (NIS2 21.2): Build A Solid Foundation with ISO 27001 Best Practices
Understanding HR Security Basics for ISO 27001 & NIS2 Compliance
Build your NIS2 measures for Business Continuity and Backups with ISO 27001
Best Practices from ISO 27001 for Secure System Acquisition and Development: Create your NIS2 measures
Show all
Content library
Open content libraryLabs
Kiitos! Saat jatkossa uutiskirjeen sähköpostiisi joka perjantai.
Valitettavasti jotain meni pieleen. Voit olla yhteydessä tiimi@tietosuojamalli.fi.