Adrian Johnson
TLDR:
- The EU has updated its Network and Information Security Directive, known as the NIS2 Directive.
- The NIS2 Directive covers a wide range of sectors and introduces new obligations for compliance, risk management, incident reporting, and penalties.
In response to the rise in cyberattacks and digital transformation, the European Union has revised its Network and Information Security (NIS) Directive, creating the NIS2 Directive that went into effect in January 2023. The NIS2 Directive aims to enhance cybersecurity and resilience across compliant organizations, covering both highly critical and critical sectors.
The NIS2 Directive introduces uniform obligations for organizations operating in eighteen critical sectors, focusing on compliance monitoring, risk management, incident reporting, and penalties. Large and medium organizations will fall under the scope of NIS2 based on their size and impact on critical or highly critical areas. Compliance monitoring will differentiate between essential and important entities, with enhanced oversight for essential entities from highly critical sectors.
Incident reporting under the NIS2 Directive includes a new timeline, requiring early-stage reports within twenty-four hours of awareness, notifications within seventy-two hours, and final reports within one month. Penalties for non-compliance include fines of up to €10 million or a percentage of the total annual global turnover, depending on the entity’s classification.
The NIS2 Directive is a vital step towards creating a safer digital economy in the European Union, offering guidance for compliance and raising the standard of cybersecurity across member states. With the deadline for transposition into national law approaching, organizations must ensure compliance to avoid financial penalties and reputational damage.
