Growing cyber threats have recently pushed the European Union to strengthen its cybersecurity policies, especially in critical sectors. This led, amognst other initiatives, to the approval back in 2022 of the NIS2 Directive, an update of the previous NIS regulation that seeks to establish a more solid and unified framework for protecting essential information networks and systems. It includes an expanded scope of sectors, heightened company requirements, and updated non-compliance penalties. 

What is NIS2?

NIS2 builds upon the original NIS Directive by expanding its scope, introducing heightened requirements for companies, and enforcing stricter penalties for non-compliance. The regulation addresses limitations identified in the first iteration while adapting to the changing landscape of cyber threats.

One of the main differences between NIS and NIS2 is the broadened scope. The original NIS focused on operators of essential services and providers of digital services, which were defined in a somewhat restrictive way. NIS2 considerably extends the spectrum of covered entities, incorporating additional critical sectors and services essential to the economy and society. This now includes areas such as wastewater and waste management, manufacturing of critical products, postal and courier services, or public administration, amongst others. As a result, many more organizations will be subject to the regulation’s requirements.

Transportation was already included on the NIS scope and will keep being considered an essential service on the new NIS2.

NIS2 is a European directive, meaning it needs to be transposed to the national laws of each EU country. In that sense, the deadline for such a transposition was October of 2024, which only a few countries have met. Most European countries are working with the target of having a local law implementing NIS2 as soon as possible in 2025.

Strengthening Cooperation

Another significant change coming from the NIS2 is the improvement in cooperation mechanisms. NIS2 strengthens collaboration between EU Member States by creating an improved cooperation group and introducing more explicit measures to share information on threats, incidents, and best practices. It also defines the role of ENISA on the coordination and support to the states members in the context of this directive The directive mandates faster and more detailed incident reporting, enabling a more coordinated and agile response at the European level. Additionally, the directive seeks to promote a common approach to risk management and incident notification, helping to reduce discrepancies between different countries’ regulatory frameworks.

A Shift in Accountability

Another significant shift is the emphasis on governance and accountability.  The governing bodies and top management of affected entities now have explicit responsibilities in overseeing cybersecurity measures.

This includes ensuring that security politics and procedures are effectively implemented and that sufficient resources are allocated for cyber risk management. Unlike the original NIS, which primarily focused on technical aspects, NIS2 introduces specific sanctions and disciplinary measures for non-compliance, ensuring that companies take a proactive and responsible stance.

NIS2 is a major step forward in building a more resilient digital infrastructure across the EU. But what does it mean for organizations, and how will they be affected? Watch our latest webinar to gain deeper insights into how NIS2 affects the rail industry and what steps you can take to ensure compliance.