NIS 2, main new features in the new European cybersecurity Directive

Blog

2
- Dec
2021
Posted by: Javier Tallón
[Cybersecurity research]
NIS 2, main new features in the new European cybersecurity Directive

Improving cybersecurity has been one of the main milestones set by the European Commission in recent years. The arrival of the COVID-19 pandemic, with confinement in practically all of Europe, has accelerated many activities or formalities that previously could only be carried out in person. This has also led to an increase in cybercrime, with some crimes, such as ransomware, tripling in number.

The European cybersecurity Directive NIS 1, approved in 2017, already put on the table certain measures to improve cybersecurity in European companies considered critical infrastructures, qwhich were subject to penalties for those that did not comply with them, categorized on a scale of severity by minor, serious and very serious. However, different voices criticized the lack of homogeneous incorporation of this regulation in the different Member States, creating a different applicability in each one, which in the end leads to a fragmentation of the single market.

The process of creating the NIS 2

Given this perspective, it was obvious that an improvement of NIS 1 would come sooner rather than later, therefore, the announcement of the Commission in early 2020 to launch a revision of this Directive (NIS 2), created many expectations.

The following graphic is a concise chronology of NIS 2 from the beginning.

  • January 29, 2020: The Commission announced its intention to launch a revision of the Network and Information Systems Security Directive (NIS Directive).

  • July 7, 2020: The Commission launched a public consultation on the review of the NIS Directive aimed at gathering views on its implementation and on the impact of possible future changes.

  • October 2, 2020: The consultation closed.

  • December 16, 2020: The Commission presented a new EU Cybersecurity Strategy making a proposal for a Directive on measures for a high common level of cybersecurity across the Union (revised NIS Directive or "NIS 2").

  • Aril 13, 2021: Commission presented its proposal.

  • June 2, 2021: The deadline for tabling amendments to the proposed Directive.

  • October 28, 2021: MEPs from the Committee on Industry, Research and Energy (ITRE) adopted the report on the NIS 2 Directive.

  • Coming soon: Entry into force of NIS 2.

    Main differences between NIS 1 and NIS 2

    After analyzing the draft of the NIS 2, there are a number of improvements compared to NIS 1, which are summarized in the following points:

  • Security requirements will be strengthened with a list of focused measures, eincluding incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing, and effective use of encryption.

  • The cybersecurity of the supply chain of key information and communication technologies will be strengthened.

  • Management responsibility for compliance with cybersecurity risk management measures.

  • Streamlined incident reporting obligations with more precise provisions on the reporting process, content and timing.

    Which new sectors are affected by NIS 2?

    In the new regulation there is a significant increase in the number of sectors to which it applies. In addition to the well-known sectors included in NIS 1 such as energy, financial markets, transport, digital providers or banking, others such as telecommunications, manufacturing, waste management, food, public administration or aerospace have been added.

    Although it is true that only medium-sized and large companies fall within the scope of NIS 2, they must also take into account other companies that supply them, so that they do not affect the supply chain.

    In the following chart we can see the sectors that were affected by NIS 1, as well as the extension of the scope to include more sectors and services as essential or important entities in NIS 2.

    How can we help you to apply NIS 2 in your company?

    At jtsec we are experts in consulting and evaluation under different standards recognized at European . Therefore, do not hesitate to contact us so that we can advise you on which certification is more convenient for your company to comply with the imminent final approval of the NIS 2 by the European Commission.

    • tags
    Javier Tallón/Technical Director

    Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

    In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.


    Contact

    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
    RECENT POSTS
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    Jan 17, 2025
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    jtsec & Applus+ Laboratories at ICCC24
    Nov 14, 2024
    jtsec & Applus+ Laboratories at ICCC24
    How to use the CCN product catalog to improve your company's security
    Oct 14, 2024
    How to use the CCN product catalog to improve your company's security
    Common Criteria Statistics 2023
    June 17, 2024
    Common Criteria Statistics 2023
    How to enter ENS category high, stay in the catalog and add new versions of my product
    April 23, 2024
    How to enter ENS category high, stay in the catalog and add new versions of my product
    jtsec - Our LINCE 2023
    Febr 6, 2024
    jtsec - Our LINCE 2023
    We wish you a happy and cybersecure 2024
    Dec 19, 2023
    We wish you a happy and cybersecure 2024
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    Dec 14, 2023
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    How to include your product or service in ENS ALTA.
    Oct 31, 2023
    How to include your product or service in ENS ALTA.
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    Sept 19, 2023
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    CATEGORIES