The Network and Information Security (NIS) directive was an EU-led initiative which aimed to achieve a common level of cybersecurity across member states. While it increased cybersecurity capabilities, implementation proved challenging, leading to fragmentation across the market. To address growing threats from digitalisation and cyber-attacks, the commission proposed replacing the NIS directive with NIS2, which strengthens security requirements, addresses supply chain security, streamlines reporting, and introduces more stringent supervisory and enforcement measures, including harmonised sanctions across the EU. NIS2 broadens the range of entities falling under its scope, encompassing many organisations that were not required to comply with the original NIS Directive.
The new legislation entered into force on 16 January 2023, and member states have until 17 October 2024 to transpose its measures into national law, and non-compliance could lead to significant fines. In the UK, businesses could be fined up to £17 million; in the EU, ‘essential’ entities face penalties of up to €10 million, or 2% of their total turnover globally.
The existing NIS scope will significantly expand in the EU, with organisations in several new sectors deemed ‘essential’. These sectors include space, wastewater, public administrations (exceptions may apply), data centre service providers, trust service providers, content delivery networks, and public electronic communications networks and services. Other sectors, such as postal services, chemicals, and manufacturing of key products, will also have to comply with the requirements as ‘important’ entities. However, they will be subject to less regulatory oversight than those classified as ‘essential.’
What happens now?
Member states have until 17 October 2024 to take the appropriate measures to ensure compliance with NIS2 requirements. Businesses must use this time to understand how the new directive will affect them and what steps they need to take to demonstrate compliance.
It’s important to note that according to Article 24 of the NIS2 directive, member states also have the option to require certification of ICT products, services, and processes for essential or important entities under European cybersecurity schemes. Depending on your business category, certification against specific standards such as ISO 27001 and CSA STAR may become mandatory. It is therefore crucial to understand how each member state applies the directive, as there might be variations across different territories.
Partnering with LRQA
With our connected portfolio of advanced cybersecurity solutions, we are dedicated to helping you address the requirements of NIS2.
We deliver a comprehensive range of assessment services against the world's leading standards, including ISO 27001, complemented by a portfolio of advanced cybersecurity solutions delivered by our specialists, LRQA Nettitude. We can certify your systems, address vulnerabilities, and help prevent attacks and incidents – supporting your journey to NIS2 compliance with deep technical insight and expertise.
Who we work with
We help businesses across dozens of sectors push forward and achieve like never before. How can we help you?
BAE Systems: Elevating operational excellence and employee well-being
Discover BAE Systems Rochester's dedication to operational excellence as they partner with LRQA for ISO 45001 certification and ISO 45003 guidance.