The club has been swung

Now it has happened! The European Parliament's gavel has been swung and met the surface of the table with a resolute knock. The directive on network and information security - NIS - is being updated to NIS2 and EU member states must now, within 21 months, implement the directive in their respective national legislation. What does this mean and who is affected? Does the directive say anything specific about security awareness and security training? Nimblr explains the concepts.

The NIS Directive, whose purpose is to achieve a high common level of security in networks and information systems within the EU, came into force in 2018 through the "Act (2018:1174) on information security for socially important and digital services". Since its introduction, the directive has been criticized for being incomplete, unspecific and imprecise, and for underestimating the increased threats and rapid developments in the field. Furthermore, the need for increased cooperation and coordination between EU member states in this area has been highlighted. The decision on NIS version 2 was therefore adopted on November 28, 2022. The update involves a broadening and tightening of the original directive, with new provisions and increased obligations for significantly more actors than before.

All-risk approach with increased supervision

The NIS2 Directive establishes protection measures for both the storage and transmission of data considered essential for the maintenance of societal functions. It advocates an all-hazards approach, with increased preparedness for natural hazards and technical failures as well as for human error and cybercrime. The NIS2 Directive also emphasizes the importance of secure supply chains, which means that significantly more companies, authorities and organizations are subject to higher security requirements than before. In addition, it increases the ability of EU supervisory authorities to issue warnings and impose sanctions for security breaches.

More stakeholders

The original NIS Directive covered activities in the following sectors: 

• Energy
• Transportation
• Banking activities
• Financial market infrastructure
• Health sector
• Supply and distribution of fresh water
• Digital infrastructure

NIS2 continues to apply to these sectors as well as to the following sectors:

• Providers of public electronic communications networks or services
• Sewage and waste management
• Space activities
• Manufacturing industry
• Mail
• Food products

In addition to directly affected activities, the number of indirectly affected entities will increase as they are part of critical supply chains. The NIS2 Directive also covers non-EU activities that provide services to EU countries.

Cybersecurity training and awareness raising

Another new feature of the updated NIS Directive is the increased requirement for security awareness among company management. It will no longer be enough to simply leave security issues to the business' IT departments, as the Directive states that: "Member States shall ensure that members of management bodies regularly undergo specific training to acquire sufficient knowledge and skills to understand and assess cybersecurity risks and cybersecurity management practices and their impact on the entity's business." As part of this assurance, the need for measurability is highlighted; business policies should clearly demonstrate a priority for cybersecurity, including through relevant training programs and awareness-raising measures for all employees. The Directive thus advocates not only a stricter approach to IT security but also a broadening of the concept, mentioning not only technical and reactive protection measures but also educational and proactive approaches.

Nimblr and NIS2

At Nimblr, we welcome the EU's call for an increased focus on cybersecurity, as our society is increasingly dependent on secure systems for storing and transferring data. At the same time, we understand that the transition to NIS2 can be costly in terms of time and resources. In addition, the uncertainty associated with change can easily arise, with questions such as "What is the appropriate level of security?" and "How do we know if our measures are effective?". When it comes to training and education, Nimblr's automated solution is a great way for your organization to meet the training requirements of the NIS2 directive. Nimblr Security Awareness Training ensures your NIS2 transition through access to relevant and up-to-date information, interactive simulations and customized training sessions.