The European Union (EU) enacted the Network and Information Systems 2.0 Directive, known as NIS2, in 2022, a sweeping overhaul of its cybersecurity regulations. The full implementation across member states started this year. For the first time, the directive makes directors and executives accountable, subjecting them to strict penalties. With increasing digitalization and industrial societies’ critical reliance on information systems, the EU views enhanced cybersecurity as a paramount priority. The COVID-19 pandemic further underscored the vulnerabilities within intricate supply networks, prompting the new directive to explicitly address these critical links’ cyber resilience. This directive, formally known as Directive (EU) 2022/2555, aims to establish a high standard level of cybersecurity across the Union to improve the functioning of the internal market. The legislation significantly expands the scope and requirements of its predecessor, the 2016 NIS Directive, impacting designated ‘essential’ and ‘important’ entities and their extensive supply chains. Essential sectors include Energy, Health, Transport, Finance, Water Supply, Digital Infrastructure, Public Administration, and Space. The move comes amid escalating geopolitical tensions and a surge in sophisticated cyber threats, including ransomware, phishing, and disinformation campaigns. NIS2 establishes a framework obligating member states to adopt national cybersecurity strategies and designate or establish competent authorities, cyber crisis management authorities, single points of contact, and computer security incident response teams (CSIRTs). By April 17, 2025, member states must establish lists of essential entities, which will be regularly reviewed and updated. Entities falling under categories listed in Annex I (sectors of high criticality like energy, transport, banking, and health) and Annex II (other critical industries such as postal and courier services, food production, and manufacturing) are subject to the directive. Entities that do not qualify as essential but are of the types listed in the annexes are considered important entities. Member states can also identify other entities as necessary based on criteria outlined in the directive. To populate these lists, entities must submit detailed information to competent authorities, including their address, contact details, relevant sector, and where they provide services. Any changes to this information must be noted immediately and within two weeks. The directive emphasizes the responsibilities of management bodies within these entities, requiring them to approve, oversee, and be held liable for implementing cybersecurity risk-management measures. Furthermore, management body members must undergo training to gain sufficient knowledge and skills to identify risks and assess cybersecurity practices. The explicit focus on supply chain cybersecurity is a significant departure from the previous directive. NIS2 mandates that essential entities consider the security-related aspects concerning the relationships between each entity and its direct suppliers or service providers when implementing cybersecurity risk-management measures. This includes considering the vulnerabilities specific to each supplier, the overall quality of their products, and cybersecurity practices, including secure development procedures. Entities will also be required to consider the results of coordinated security risk assessments of critical supply chains at the Union level. This extended responsibility means that businesses operating within the supply chains of essential entities, even if not directly classified as such, will face increasing pressure to demonstrate robust cybersecurity measures. Manufacturers, distributors, and transporters, among others, may need to implement proactive and documented measures like risk assessments, zero-trust architectures, incident response capabilities, and disaster recovery plans. Failure to do so could lead to disruptions and potential liabilities for the essential entities they serve. NIS2 outlines specific cybersecurity risk-management measures that essential entities must implement based on an all-hazards approach. These measures include policies on risk analysis and information system security, incident handling, business continuity and crisis management, supply chain security, network security, and information systems acquisition and development. Additionally, policies to assess the effectiveness of cybersecurity measures, basic cyber hygiene practices and training, the use of cryptography and encryption, human resources security, and access control policies. The directive also imposes strict reporting obligations for ‘significant incidents’ that substantially impact service provision. Essential entities must notify their designated CSIRT or competent authority without undue delay, including information enabling the determination of any cross-border impact. Initial notifications must be followed by intermediate and final reports detailing the incident, its causes, mitigation measures, and cross-border effects. For trust service providers, the initial notification deadline for significant incidents is even shorter, within 24 hours of becoming aware. Failure to comply with these risk management and reporting obligations can result in significant financial penalties. Essential entities face fines of up to €10 million or 2% of their total worldwide annual turnover, whichever is higher. Influential entities can be fined up to €7 million or 1.1% of their worldwide annual turnover. These substantial penalties underscore the seriousness with which the EU regards adherence to the new cybersecurity standards. Moreover, the directive introduces the possibility of sanctioning the companies, their directors, and responsible executives for failing to approve and implement the required cybersecurity measures. NIS2 fosters cooperation and information sharing among member states through several mechanisms. The EU created cooperation entities to support strategic collaboration and information exchange. The Computer Security Incident Response Team network (CSIRT) promotes swift and effective operational cooperation among national CSIRTs. The European Cyber Crisis Liaison Organization Network (EU-CyCLONe) will also support the management of large-scale cybersecurity incidents and crises at the operational level. These bodies will collaborate on strategic guidance, best practice exchange, coordinated incident response, and cybersecurity exercises. The directive also encourages voluntary cybersecurity information sharing among entities, including information related to cyber threats, vulnerabilities, and incident response techniques. Member states must facilitate the establishment of cybersecurity information-sharing arrangements within communities of essential entities and their suppliers. The NIS2 Directive represents a significant shift towards a more harmonized and robust cybersecurity framework across the European Union. The directive mandates substantial investments in cybersecurity risk management, incident response capabilities, and supply chain oversight for businesses classified as essential or important. The impact extends far beyond these directly regulated entities. Companies within their supply chains will also need to elevate their cybersecurity posture to meet the expectations of their essential partners. While the directive aims to enhance the overall cybersecurity resilience of the EU economy, it raised concerns about the potential burden on businesses, particularly smaller enterprises, and the complexities of managing cybersecurity risks across intricate global supply chains. Nevertheless, the strong enforcement mechanisms and significant penalties signal the EU’s determination to create a more secure digital environment. Businesses operating in or serving the EU market must proactively adapt to these new requirements to mitigate risks and ensure continued access to the Union’s vast internal market.

EU Bolsters Cybersecurity With NIS2 Directive

The European Union (EU) enacted the Network and Information Systems 2.0 Directive (NIS2) in 2022, a comprehensive overhaul of its cybersecurity regulations. The directive makes directors and executives accountable, subjecting them to strict penalties. It expands the scope of previous cybersecurity regulations to include essential and important entities and their supply chains, aiming to improve the functioning of the internal market and establish a high standard of cybersecurity across the Union.