The European Council has greenlit NIS2, a new European security directive. The Council’s consent ends an approval process that lasted two years. NIS2 requires member states to introduce new security laws by 2024, including a broader obligation to report cyberattacks.
NIS2 is a follow-up to NIS1, a European security directive approved by the European Parliament and European Council in 2016. After the adoption of a European directive, member states are tasked with incorporating the new rules into national laws.
To give an example, The Netherlands incorporated the rules of NIS1 into the ‘Network and Information Systems Security Act’ of 2018. The names of laws vary by country, but all member states adhere to similar cybersecurity rules. NIS1 stipulates that a country’s essential service providers are required to report security incidents and adequately prevent security incidents.
Member states have varying definitions of ‘essential service providers’, but common examples include cloud providers, gas vendors and drinking water suppliers. With the advent of NIS2, the obligation to report and prevent security incidents extends to a much broader range of companies.
One of the main differences between NIS1 and NIS2 is that member states have less freedom in designating companies that have to comply with the rules.
NIS2 extends the obligation to report and prevent security incidents to all medium- and large-sized businesses in fifteen sectors, including food, social media and datacenters, waste management, aerospace and postal delivery.
This means that governments always have to designate companies within the size and sector range. Currently, governments have more freedom of choice.
NIS2 in the Netherlands
Now that the directive is officially approved, European member states have to incorporate the rules into national laws. The deadline is early 2024.
The Netherlands is already taking steps. In July 2022, the government announced that the Dutch version of NIS1 would become applicable to multi-tenant datacenters and large DNS service providers. The datacenter industry is one of the new sectors to which NIS2 applies.
By extending its local laws, the Netherlands is shifting to the requirements of NIS2. The government will have to pass an amendment or law for each of the new sectors covered by NIS2. The same goes for every other member state, including Switzerland. On December 2, the Swiss government submitted a bill that requires critical infrastructure operators to report cyberattacks.