NIS2: What It Is, Why It's Important and How to Prepare

NIS1 was the first EU-wide cybersecurity legislation, going live in 2016. It was designed to boost overall levels of cybersecurity in the EU but it had a number of shortcomings that made it challenging to enforce and confusing for the targeted organizations to comply. The outcome was member states had little incentive to penalize organizations that violated NIS1. 

On 16^th January 2023, NIS2 was introduced to address these shortcomings. NIS2 has a broader scope, expanding to cover a wider range of entities and introducing more stringent security requirements. NIS2 details have already been released and “came into force in 2023,” but the key deadline is October 2024 where national legislatures in the EU will need to have enforceable laws in place.

Key changes from NIS1 to NIS2 include: 

• Expanded scope: NIS2 applies to a wider range of entities than NIS1, including essential and important entities. Essential entities are those that provide critical services to society, such as energy, transport, and healthcare. Important entities are those that play a significant role in the economy or society, such as financial institutions and telecommunications companies. It’s estimated that this will address about 160,000 organizations.
• More stringent security requirements: NIS2 introduces more specific security requirements than NIS1. These requirements cover areas such as risk management, incident detection and response, and information security awareness and training.
• Incident reporting: NIS2 requires organizations to report cybersecurity incidents to the authorities. This will help the authorities to track the threat landscape and to coordinate responses to major incidents.
• Enforcement through penalties: As is the custom with EU initiatives, this one shows its teeth through administrative fines of up to €10 million or 2% of the entity’s total turnover worldwide, whichever is higher, for “Essential Entities” (and there is a slightly lower fine too—€7 million or 1.4% global turnover for “Important Entitles”). These would be additional to any fines that may be applied due to a single incident also falling foul of GDPR rules.

NIS2 will apply to any organization with more than 50 employees whose annual turnover exceeds €10 million, and any organization previously included in the original NIS Directive.

Forcepoint is been a leader in empowering organizations to secure their data and key to this is enabling companies to remain compliant with regulations globally. We have a range of data security solutions that specifically address the stringent security requirements of NIS2, specifically addressing risk management and incident detection and response.

This post is the beginning of a blog series we will be publishing weekly to address specifically how Forcepoint equips organizations to comply with the key areas outlined in NIS2.  Watch for the next post that will tackle the topic of risk management.