One of our organization’s short and medium term strategic objectives, as providers of software and digital services, is to align with the NIS 2 Directive. We also have the expertise and qualified staff to offer consultancy and support for aligning with the NIS 2 Directive to both government entities and private companies. If you are interested, you can download the detailed presentation in PDF format from the attached link.

The NIS2 (Network and Information Security 2) Directive is an update to the NIS Directive (Network and Information Security Directive) adopted by the European Union. The purpose of this directive is to strengthen cybersecurity across Europe by establishing stricter requirements for operators of essential services and digital service providers.

Main objectives of the NIS2 Directive

Expanding the scope

The NIS2 Directive extends the list of sectors and entities that must comply with cybersecurity requirements. This now includes critical sectors such as health, digital infrastructure, public administration, and other essential sectors.

Improving national capabilities

Each member state must improve its cybersecurity capabilities, including establishing Computer Security Incident Response Teams (CSIRTs) and competent national authorities in the field of cybersecurity.

Strict reporting requirements

Entities covered by the directive must report cybersecurity incidents within 24 hours of detection (full report details may follow within 72 hours). Rapid reporting aims to enable prompt response and minimize the impact of incidents.

Cooperation and information sharing

The directive promotes cooperation and information sharing among member states and with the European Union Agency for Cybersecurity (ENISA) to ensure a coordinated response to cybersecurity incidents.

Risk assessment and risk management

The NIS2 Directive requires entities to conduct periodic risk assessments and implement appropriate risk management measures to protect their networks and information systems.

Impact of the NIS2 Directive

For companies

They will need to strengthen their cybersecurity measures and ensure compliance with the new requirements, which may involve additional investments in technology and specialized personnel.

For authorities

National authorities will need to enhance their capabilities to prevent, detect, and respond to cybersecurity incidents.

The NIS2 Directive represents an important step in strengthening cybersecurity across Europe, considering the increasing sophistication of cyber threats and the growing interconnection of critical infrastructures.

Affected organizations

The NIS 2 Directive aims to broaden its scope by including more sectors and organizations vital to the economy and society. It introduces new classifications, dividing entities into Essential and Important categories.

Essential entities – include 11 sectors: energy, transportation, banking, financial market infrastructure, health, drinking water supply, wastewater treatment, digital infrastructure, public administration, ICT service management (B2B), and space. Additionally, 9 subsectors are added, such as electricity, heating and cooling systems, oil, natural gas, hydrogen, air transport, rail transport, waterway transport, and road transport.

Important entities – cover 7 sectors: postal and courier services, waste management, manufacturing, chemicals, food, digital services, and R&D. Six additional subsectors include medical devices, IT, electronics, electrical apparatus, machinery, motor vehicles, trailers, and transportation equipment.

The directive targets all entities meeting thresholds for medium-sized enterprises, with potential extensions to smaller businesses.

Sanctions for non-compliance

Fines for non-compliance vary: up to 10 million euros or 2% of global turnover for Essential Entities, and up to 7 million euros or 1.4% of global turnover for Important Entities. Only one fine will be applied for incidents involving both NIS 2 and GDPR violations.

Implementation timeline

Member states are expected to transpose the directive into national legislation throughout 2024. On July 19, 2024, the Romanian National Directorate for Cyber Security (DNSC) began drafting the bill to transpose Directive (EU) 2022/2555, which aims to enhance cybersecurity across the Union. This initiative aligns with DNSC’s role as the national regulatory, supervisory, and control authority for civilian cyberspace.