Cyberattacks are becoming more frequent and getting more complex with time. It has always been the focus of the Parliament of the European Union (EU) to facilitate a comprehensive level of cybersecurity in the EU.
Therefore, the amended Network and Information Security (NIS) Directive, also known as NIS-2, was approved by the European Union (EU) Parliament on 28 October 2021. It is the first cybersecurity legislation to apply to the entire European Union. Its primary goal was to develop a high degree of cybersecurity shared by all member states.
But what are the significant changes in NIS-2?
Scale: One of the significant modifications embodied in NIS-2 is the expansion of the original NIS legislation's jurisdiction. A larger group of organizations are covered. It suggests that cyber resilience measures will need to be implemented on a much bigger scale across the European continent due to escalating commercial interconnection, rapid digitization, and pervasive networking across numerous sectors.
Governance: The new NIS-2 Directive has significantly improved security governance by holding senior managers liable for cyber resilience. This mandate is anticipated to motivate organizational reform through a "top-down" strategy. The goal for the board and senior management is to prioritize cyber resilience rather than keeping it within the domain of technical teams.
Incident response obligations: The reporting window has been shortened from 72 to 24 hours. Depending on the scope and the type of assault, users of services must report to the general public.
The NIS-2 Directive aims to enhance security standards, discuss supply chain security, simplify reporting obligations, encourage encryption and vulnerability public reporting, incorporate stricter supervision measures, and introduce more stringent enforcement requirements.