Now it has happened! The EU Parliament’s gavel has swung and met the table surface with a resolute tap. The Network and Information Security Directive – NIS – is being updated to NIS2, and within 21 months EU Member States must implement the said directive in their national legislation. What does this mean, and who is concerned? Does the directive say anything specific about security awareness and training? Nimblr provides clarification.
The NIS Directive, which aims to achieve a high common level of security in networks and information systems within the EU, was enacted in 2018 through The information security law. Since its introduction, the Directive has been criticized for being incomplete, unspecific, and ineffective, and for underestimating the increased threats and rapid developments in the field. Furthermore, the need for increased cooperation and coordination between EU Member States in this area has been highlighted. On 28 November 2022, the adoption of NIS version 2 was thus decided. The update broadens and sharpens the original directive, with new regulations and increased obligations for far more actors than before.
An all-risk perspective with increased monitoring
The NIS2 Directive establishes safeguards for both the storage and transmission of data that are considered essential for the maintenance of public services. It advocates an all-risk approach, with increased preparedness for natural hazards, and technical failures, as well as for human error and cybercrime. The NIS2 Directive also emphasizes the importance of securing supply chains, which implies higher security requirements for far more companies, authorities, and organizations than before. Furthermore, EU regulators will have more means to issue warnings and sanctions for breaches of security.
More concerned parties
The original NIS Directive applied to activities in the following sectors:
- Energy
- Transport
- Finance
- Healthcare
- Supply and distribution of freshwater
- Digital infrastructure
NIS2 continues to apply to these sectors as well as the following ones:
- Providers of public electronic communications networks or services
- Sewerage and waste management
- Space activities
- Manufacturing industry
- Post service
- Food
In addition to directly affected parties, the number of indirectly affected entities will increase, as they are part of critical supply chains. In addition, the NIS2 Directive covers non-EU activities supplying services to EU countries.
Cybersecurity training and awareness raising
Another new feature of the updated NIS Directive is the increased requirement for security awareness among management bodies. It will no longer be sufficient to leave security issues solely to the business’ IT departments, as the Directive states that: “Member States shall ensure that members of the management body follow specific trainings, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity.” As part of this assurance, the need for measurability is highlighted; business policies should demonstrate a prioritization of cybersecurity, i.a. through relevant training programs and awareness-raising actions for all employees. The Directive thus advocates not only an increased focus on cybersecurity but also a broadening of the concept, mentioning not only technical and reactive protection measures but also educational and proactive approaches.
Nimblr and NIS2
At Nimblr, we welcome the EU’s advocacy of an increased focus on cybersecurity, as our society becomes more and more dependent on secure systems for storing and transmitting data. At the same time, we understand that the transition to NIS2 may be costly in terms of time and resources. In addition, uncertainty easily arises with change, with questions such as “What is an adequate level of security?” and “How do we know if the measures we have taken are having an impact?”. Regarding training and education, Nimblr’s automated solution is an excellent way for your business to meet the training requirements of the NIS2 Directive. Nimblr Security Awareness Training ensures your NIS2 transition through access to relevant and up-to-date information, interactive simulations, and business-oriented training sessions.