NIS 2 – The new EU Cybersecurity directives

NIS 2 – The new EU Cybersecurity directives

To strengthen and support cybersecurity in the European Union, the new EU Cybersecurity directives NIS (Network and Information System) was launched, Directive (EU) 2016/1148.

Although the Directive has significantly strengthened the EU’s cyber resilience, it also revealed shortcomings and some inconsistencies in the application.

This necessitated a revision and adaptation to the rapidly advancing digital transformation, as well as the associated coordinated responses to cyber threats. 

The introduction of a new system

The new directives establish an expanded and more differentiated scope.

This is intended to help create uniform criteria for companies.

Exceptions are foreseen for institutions in the field of national security, considering data protection rules.

A differentiated system for “essential” and “important” entities will be introduced: 

Essential facilities, defined according to the new EU Cybersecurity directives

  • Energy (Electricity, District heating and cooling, Petroleum, Natural Gas, Hydrogen) 
  • Traffic (Air traffic, Rail transport, Navigation, Road traffic) 
  • Banking 
  • Financial Market Infrastructure 
  • Health Service 
  • Drinking Water 
  • Sewage 
  • Digital Infrastructure 
  • Management of ICT Services (B2B) 
  • Public Administration 
  • Space 

Important facilities

  • Postal and courier services 
  • Waste Management 
  • Production, manufacture, and trade of chemical substances 
  • Production, processing, and distribution of food products 
  • Manufacturing/Manufacturing of goods (Manufacture of medical devices and in Vito diagnostics, Manufacture of computers, electronic and optical products, Manufacture of electrical equipment, Mechanical engineering, Manufacture of motor vehicles and semi-trailers, other vehicles construction) 
  • Digital Service Provider 
  • Research 

Information exchange and support

Member States and the Commission are encouraged to establish minimum standards for cybersecurity risk management and reporting without compromising the Commission’s powers in various areas.

Sector-specific Union rules that are stricter or equivalent may take precedence.

Member States must ensure the effective handling of incidents. 

Expertise and resources of the CSIRTs

Each Member State should have at least one Computer Security Incident Response Team (CSIRT) to build trust and promote cross-border cooperation.

The CSIRTs must have the necessary expertise and resources to process sensitive data and monitor networks securely in accordance with EU data protection rules.  

The promotion of open standards, partnerships, and support for small and medium-sized enterprises (SMEs) are also essential. 

small business (KU) < 50 employees ≤ €10 million in sales 
medium-sized enterprise (MU) < 250 employees ≤ €50 million in sales 
large enterprise (GC) ≥ 250 employees > €50 million in sales 

Cybersecurity Initiative at Union level 

In the event of cybersecurity crises, strategies and plans are to be developed in coordination with other relevant actors, such as the European Union Agency for Cybersecurity (ENISA).

The goal is to set up a European vulnerability database.

This database will work with existing systems, such as the Common Vulnerabilities and Exposures (CVE) system, to ensure efficiency. 

Protection of Network and Information systems

Focus is also given to the protection of Network and Information Systems.

Each Member State should draw up a plan for incident preparedness and response.

Companies must take measures to ensure the continuity of their services, and EU member states must take measures to protect their critical infrastructures. 

Raising Transparency and public awareness

Another crucial element of the directive is the creation of transparency through the disclosure of security incidents.

This helps build public trust and raise awareness of cybersecurity risks.

Education initiatives and awareness-raising campaigns are designed to help increase citizens’ digital resilience and provide them with the knowledge they need to navigate the internet safely.

Preventive measures and proactivity

Developing proactive threat identification and response capabilities is essential. Cybersecurity incident reporting is a key element of this proactive approach. 

Integrity of the Internet and Messaging Services

Both internet and messaging services are fundamental components of the digital society.

Their integrity must be ensured through the application of robust security standards.

Access to a secure means of communication is a fundamental right, and the protection of users’ privacy and data is a top priority. 

Cooperation with third countries and international organisations 

The EU is seeking to intensify cooperation with third countries and international organisations.

This includes sharing best practices, sharing information about threats, and developing common responses to global cybersecurity challenges. 

Harmonisation of cybersecurity practices and supply chain risks

Another key concern of the directive is the harmonisation of cybersecurity practices between online service providers and the management of supply chain risks.

Service providers must ensure that their systems and those of their partners meet the requirements and that solid security standards are adhered to, throughout. 

Enforcement and penalties

Competent authorities must have the power to intervene directly in the event of serious cyber threats.

Member States can impose both criminal and administrative sanctions to ensure compliance with the Cybersecurity Directive.

The penalties must be effective, proportionate, and dissuasive.

Essential facilities Important facilities 
Regular, targeted security checks Review only in case of reasonable suspicion
Spot check On-the-spot inspections and external ex-post oversight measures 
Fine: €10 million or 2% of global sales (whichever is higher) Fines of €7 million or 1.4% of global sales 

Review and Update

The directive guidelines are regularly reviewed.

This is to ensure that it remains relevant and effective. Especially given the ever-evolving technology landscape. 

How Emenda can help

It is known that the same 10 software vulnerabilities have caused more security breaches in the last 20 years than any other vulnerabilities. And yet, many companies and organisations still opt for the approach of fixing vulnerabilities only after the scan, after the intrusion, or, worse still, after the event! 

In this world where code is at the heart of so many everyday interactions – from banking to healthcare, from transportation to retail – Secure Code Warrior raises its (metaphorical) shield developing a human-led approach that strengthens the security specialist in every programmer. 
Secure Code Warrior makes improving a developer’s secure coding skills a positive and engaging experience. Recognising that timely and relevant security knowledge for developers is essential to the success of DevSecOps, empowering them not only to find vulnerabilities, but also to acquire the knowledge and skills to fix them – or, better still, preventing them from ever occurring in the first place. 
By inspiring a global community of security-conscious developers to adopt this preventive, secure coding approach, Secure Code Warrior aims to pioneer a human-led, human-centric solution to improve security and eliminate poor coding patterns and the 10 most common vulnerabilities (and of course also the others), forever. 

Contact us today and make software security an integral part of your development process: