The Network and Information Systems (NIS2) Directive is a European Union legislation that aims to enhance cybersecurity and critical infrastructure resilience across the EU. The directive requires both public and private entities in certain sectors to take measures to manage and secure their network and information systems better. The original NIS directive was introduced by the European Union in 2016, and established a baseline for cyber security in critial sectors. The new NIS2 directive represents an updated and expanded version that also broadens the scope of coverage to digital service providers.
The sectors covered by the NIS2 directive are diverse and include energy, transport, banking, healthcare, water supply, and digital infrastructure. The directive applies to any organization that provides essential services (OES) or digital services (RDSPs) that rely on network and information systems to operate.
– Cyber-attacks that cause disruptions in essential services can have devastating consequences. The directive seeks to improve the EU's collective resilience to cyber threats
The NIS2 Directive is critical in strengthening the cybersecurity of the EU's critical infrastructure. Cyber-attacks that cause disruptions in essential services can have devastating consequences, ranging from economic damage to loss of life. By requiring organizations to identify and protect their critical information infrastructure and report serious incidents to competent authorities, the directive seeks to improve the EU's collective resilience to cyber threats.
The new NIS2 directive (proposed by the European Cin December 2020) in as mentioned an updated and expanded version of the NIS directive that was introduced in 2016.
While the original NIS directive affected 7 sectors (such as energy, health, finance and water supply), the updated NIS2 directive added 8 more sectors for a total of 15 sectors, including the digital providers sector and the Digital infrastructure sectors that includes online marketplaces, cloud computing services, search engines, 1335 European data centers and more),
The new NIS2 directive also enhances incident reporting obligations and promotes greater collaboration among EU member states in tackling cybersecurity challenges. For instance, under the initial NIS directive, the incident reporting requirenments varied between member states, while NIS2 established harmonized criteria and timeframes. And while the original NIS directive encouraged corporation on cross-border incidents, the cooperation is now more formalized, and penalties for non-compliance is now stricter and more consistent
Organizations covered by the NIS directive must comply with the requirements set out in the legislation. Some of the key measures to prepare for the directive include:
In conclusion, the NIS2 Directive is a crucial piece of legislation that aims to enhance the cybersecurity of essential and important services and digital infrastructure in the European Union. Organizations that fall under its scope must take proactive measures to comply with the directive's requirements, protect their critical infrastructure, and strengthen the EU's collective cybersecurity.
Many enterprises rely on the Now platform from ServiceNow to – among other things – improve security and enforce compliance. Several tools in the platform can also be used to ensure compliance with the NIS directive.
We have collected our best practices on how you can leverage your ServiceNow investment to become NIS compliant in a whitepaper. And even if your organization isn’t affected by the directive, taking measures to improve your cybersecurity is still important.