What Security Teams Need to Know About NIS2

In 2016, the European Union adopted the Network and Information Security (NIS) Directive, its first-ever cybersecurity legislation with the goal of achieving a standard level of security across its Member States. The process was a mixed bag – while cybersecurity capabilities were largely increased across the board, implementation of the policy proved difficult due to the complexity of digital business.

As a result, the EU announced in 2023 that it will introduce a second NIS directive (NIS2), which will primarily focus on securing supply chains and reporting obligations, with specific focus on 15 sectors including energy, transport, health, and digital infrastructure. Over 160,000 businesses operating in Europe will now be tasked with committing substantial resources to ensuring their vendors, business partners, suppliers, and all other touchpoints within their supply chains are not creating vulnerabilities for them. It’s a tall order, and organizations will need to move quickly – Member States were given until October 2024 to adopt specific legislation that reflects the tenets in the NIS2 Directive.

So, what are the specific objectives within the Directive? And what does it mean for businesses? Let’s break it down.

What's Changed?

The original NIS Directive focused on securing endpoints and increasing general security capabilities. NIS2 emphasizes the need for supply chain security, as relationships between companies, direct suppliers, and business partners are known to foster vulnerabilities. NIS2 has three general objectives that build on that focus:

1. Increase the level of cyber resilience for EU businesses across relevant industries.
2. Reduce inconsistencies in cybersecurity resilience by aligning across the board.
3. Improve the level of joint situational awareness and the collective capability to prepare and respond.

In essence, the focus points to widespread security alignment between buyers, sellers, suppliers, business partners, and regulatory authorities. Rather than charging organizations individually with securing their entire business ecosystems, the Directive tasks all members of those ecosystems with collaborative security. Cybersecurity requirements will increase in scope and breadth, which will necessitate full-scale synergy in the market.

Download our NIS2 Reference Guide to learn more about the scope and technical components of the NIS2 Directive, and check out our solution brief breaking down how we can help organizations ready themselves for NIS2.

What Are the Outstanding Questions?

In addition to each EU Member State likely introducing slightly different legislation to suit their individual needs, the question of NIS2’s global impact remains unanswered. Since the United Kingdom left the EU, it has had to adopt its own independent security and data privacy standards.

The EU’s General Data Protection Regulation (GDPR), the world’s first large-scale crackdown on data privacy and security, may serve as an example of what could come next. The UK followed the EU’s lead in adopting its own version of GDPR, which featured many similarities but was not beholden to the same standards as the EU Member States. It is likely that the UK will adopt a similar approach for NIS2, though it remains unconfirmed.

The United States, on the other hand, still does not have a comparable GDPR regulation at the Federal level. While the California Consumer Privacy Act (CCPA) impacts many US businesses due to California’s economic significance, there remains no national GDPR equivalent. Will that be the case for NIS2? The US did not adopt a version of the first NIS, so it would stand to reason that they may sit this one out as well.

But with mounting pressure – both internal and external – to ramp up security requirements, it’s possible that the US could enact legislation to reflect some of the core components of NIS2.

How Should Businesses Prepare?

Many companies are not prepared to comply with the requirements of this directive. They will need to move rapidly to make any upgrades to their security postures before the directive goes into effect. Organizations operating in the EU will need to do comprehensive analyses of their supply chains to determine their standing and readiness. Those without the resources to analyze external vulnerabilities and cyber risks will struggle to reach compliance in time.

BlueVoyant can help determine if your organization is in scope and have a clear understanding of their NIS2 maturity. Our suite of solutions can identify any gaps and fulfill each of the requirements included in the NIS2 directive, enhanced by our extensive technology partnership with Microsoft. Our powerful outcome-driven, cloud-native platform combines internal and external cyber defense capabilities, while our Professional Services team delivers custom reports and security assessments to assure your security team of its posture.

For more details on NIS2 readiness, stay tuned for the forthcoming second blog in this series, which will focus more on business impacts and outcomes.