EU ramps up its cybersecurity efforts with NIS 2

The latest version of Europe’s cybersecurity strategy, approved by the European Parliament in November 2022, is broader, clearer, and more likely to be future proof. In the first post of a series, we will explore what this means for EU organizations.

February 7 2023 by

Ivna O'Neill

Back in 2016, the European Union (EU) made its first attempt to influence its member states to get a handle on cybersecurity. This initiative brought about the Network and Information Security directive (NIS), meant to address threats to information systems and networks capable to disrupt the services, processes, and users of the digital economy. The directive contained a mapping of minimum security measurements that providers of digital and essential services - such as energy, banking, health, and water supply - had to adhere to.

These regulations had a positive effect on the cybersecurity landscape, driving investments and establishing fundamental best practices in the area. However, there were considerable gaps that needed addressing, most notably the lack of clarity on how EU member states should implement the practices into their national laws, and the categorization of companies that fell under its scope.

Fundamentally, the regulations of the original NIS security directive were part of a very different digital landscape than the one presented to organizations now. The consolidation of remote and hybrid work models has forged a perfect scenario for bad actors to get creative and expand the reach of their attacks and the nature of entities targeted.

The threat landscape continues to evolve

If the years since the implementation of the first NIS directive were tough on IT and Security teams, the new decade since Covid-19 gave way to a whole lot of fresh challenges. If the security predictions are any indication of what to expect, we are in for a rough ride. Recently, during the annual meeting of the World Economic Forum (WEF) in Davos, Switzerland, a cybersecurity expert from the University of Oxford predicted a “gathering cyber storm”.

In a previous blog, we talked about the evolving cybersecurity scenario, with the upsurge in advanced technologies and geopolitical crises featuring as major contributing factors in the global cyber landscape. In addition, the number of cyber-attacks across Europe has been increasing steadily, prompting Europe to seek a more resilient directive for the future: one that includes not only a clear baseline for risk management, but financial consequences for non-compliance. Companies could be fined €10 million or 2% of the organization’s total worldwide turnover – whichever is higher – when NIS 2 comes into place.

NIS 2: time to get serious

The new version of Europe’s cybersecurity directive, NIS 2, is broader, clearer, and more likely to be future proof. The number of sectors covered within the scope of the directive is increasing from the original 19 to a comprehensive 35, to reflect new sectors crucial for the economy and society. A size cap is included, so that all medium and large companies within the selected sectors are covered. The rules also allow member states to add smaller organizations under the regulation’s umbrella, if identified as high security risk.

In practice, NIS 2 moves from the original scope of energy, healthcare, transport, finance, water supply and digital infrastructure to include manufactures of food and medicine, waste management and postal services, among others. Areas previously overlooked, such as sub-contractors and third-party service providers, are also covered under the regulations. And as with GDPR and similar directives, companies that are not established in the EU but offer their services within the block are considered to fall under jurisdiction of the Directive and liable if there are infringements.

With the publication of these measures last November, and a 2024 deadline set to get them in place, the EU steps up its attempt to safeguard the economy of its member states against the very real threat of escalating cyber-attacks. The onus of such plans falls onto executives and stakeholders, both in the private and public sector. There will be an undeniable drive to get systems, processes, networks, devices, and users up to code, and a lot of uncertainty along the way.

Up next: key elements and best practices for compliance

In this blog series, we will analyse what NIS 2 means to IT and security teams within the bounds of the directive. We will explore the scope and consequences of the regulations, from the point-of-view of both managers and tech departments. In the meantime, it might be worth noting that the rules will apply to entities already covered, plus any other with more than 50 employees, and an annual turnover exceeding €10 million in the relevant industries. In the next blogs we will explore what this means for your organization, including key elements to focus on when applying the NIS2 Directive and the best practices for compliance.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.