NIS2: It's getting CRITICAL

As critical infrastructure is increasingly targeted by hackers, the European Union (EU) in 2022 expanded the scope of the measures defined in the Network and Information Security (NIS) Directive that’s been in place since 2016. Meant to increase cybersecurity for “critical infrastructures” (CRITIS), the new NIS2 regulations (EU 2022/2555) came into effect this year.

The earlier NIS regulations applied to organizations in the energy, healthcare, transportation, banking and financial services, digital infrastructure, digital service providers and water supply sectors. NIS2 adds a wider range of companies and institutions with more than 250 employees, annual revenue of €50 million (US$54 million), or assets of €43 million (US$46.7 million). It includes organizations whose operations are deemed important or essential to the economy or society such as food producers, processors and distributors, manufacturers of electronics, medical devices and other products, postal and courier services, data centers, waste management companies and more.

Other organizations are subject to NIS2 regardless of size including public electronic communications networks or services, trust service providers, domain registrars and DNS service providers, sole national providers of a service whose disruption could have a significant impact on public order, security, or health.

In addition, the following sectors are now considered “highly critical” throughout the EU: energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, information and communications technology (ICT) service management, public administration and space.

At the national level, all EU member states must implement the statutory minimum IT security requirements by October 2024. In Germany, for example, the second draft of legislation covering implementation has been available since July 2023 and only needs to be confirmed by the federal administration.