3. What are the objectives of NIS2?
The objective remains to protect entities providing an essential service for maintaining critical societal or economic activities in areas such as energy, transport, health, drinking water, digital infrastructure, space, information and communication technology service providers, or public administration. Regardless of the size of the organization, Article 2 of the directive also stipulates that Member States must include certain entities at the national level due to the critical nature of the essential service provided, the significant systemic risk, or the significant impact on public security.
Regarding cybersecurity risk management measures, the entities concerned must ensure that they take measures appropriate to the risks incurred, taking into account the entity's degree of exposure to risks, the size of the entity, and the likelihood of occurrence of incidents and their severity, in view of the potential societal and economic consequences.
The directive provides for the notification to the competent authorities of significant incidents in order to mitigate their potential spread, to allow entities to seek assistance, to better manage crisis situations, and to share relevant technical information with other entities.
The content of the directive does not regulate cybersecurity in a specific area but imposes minimum measures designed to ensure a high common level of cybersecurity (cross-sectoral, we might say) across the Union for certain entities providing essential services.
For more information:
The NIS2 directive: Who for? Why? - Centre for Cyber Security Belgium
