The Network Information Systems Directive (NIS) was published in 2016 and required EU critical infrastructure sectors to meet basic cybersecurity compliance requirements. In October 2024 the second iteration of the Network Information Systems Directive (NIS2) will be going into effect, which will both substantially expand the number of entities required to be compliant in addition to creating additional penalties for non-compliance.
It’s important to note that EU regulation works by mandating that member states enshrine requirements into their own laws. NIS2 is a regulation propagated by the EU parliament requiring that member states use the fundamental requirements contained to create and maintain their own law codes which will be based on, and incorporate all requirements found in NIS2.
We will start by covering NIS before moving onto updated requirements in NIS2.
Key Goals of NIS2
Under NIS2 covered EU organizations will be required to meet specific operational security requirements, report incidents to their national CSIRT teams, and create continuous improvement in security procedures. NIS2 introduces personal liability for the “management bodies” of companies…
