2. What is NIS2?
The European Union (EU) has observed that the scale, frequency, and consequences of security incidents are continually increasing, posing a major threat to the proper functioning of networks and information systems. These systems can also become targets for malicious intentional actions aimed at damaging or disrupting their operation. This evolution has led to an expansion of the cyber threat landscape and the emergence of new challenges that require appropriate, coordinated, and innovative responses in all Member States.
With the Cyber Resilience Act (CRA) [4], NIS2 is part of the EU's response and forms the regulatory foundation for measures to ensure a high common level of cybersecurity across the EU.
"NIS2" [5] is the acronym for "Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS Directive)". [6]
The NIS2 Directive [7] replaces "Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union" (NIS1).
The NIS2 Directive does not determine cybersecurity rules applicable to all organizations operating in a particular area. It sets out common minimum measures for cybersecurity risk management and the notification of significant incidents (or significant cyber threats) for all essential and important entities.
The NIS2 Directive sets out, on the one hand, obligations regarding national cybersecurity policies and, on the other hand, imposes cybersecurity risk management and incident notification requirements on certain entities.
As regards national policies, these include the national cybersecurity strategy, national cybersecurity crisis management frameworks, the tasks of competent authorities, and national cooperation.
[4] See our article "Connected devices and cybersecurity: the EU is taking action!", in: Fire & Security Alert Magazine No. 31, June 2023, pp. 29-32.
[5] We will preferably use the abbreviation "NIS2" instead of "NIS Directive", as the former is already in use with our federal authorities and is internationally recognized.
[6] Text available on Eur-Lex: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555
[7] Briefly presented in our article "Stricter European rules", in Fire & Security Alert Magazine No. 30, March 2023, p. 31.