The European Union recently published the final text of the updated Network and Information Security (NIS2) Directive. The directive, which will enter into force in three weeks, requires companies belonging to critical infrastructure to implement certain security measures.
The improved NIS directive — and thus now provided with final text — specifies the security requirements companies must meet. These are companies that have been identified as forming a vital part of the national infrastructure of European member states. The directive describes exactly when a company can be designated as a “vital infrastructure” and must therefore meet certain security requirements. The National Cyber Security Center checks the companies to see whether they actually meet these and helps these companies with these requirements.
New categories of companies
The NIS2 Directive describes, among other things, new categories of companies that can also be designated as critical infrastructure. Examples include telecom operators, but also certain social networks. Other companies covered by the guidelines could include food manufacturers or postal services.
The new directive will also allow for better classifications. In addition to being labeled “vital,” companies can also be labeled “important. The latter category of companies do not always have to meet strict security requirements, but must report data breaches and cyber attacks.
Other things the NIS2 directive regulates include the creation of a national cybersecurity strategy and also tightens other laws. For example, risk management requirements, laws and regulations surrounding the use of encryption and the handling of data incidents.
The NIS2 directive further allows European member states to create their own cybersecurity laws, but this is not mandatory. Individual European member states will have 21 months to do so.