What is the NIS Directive?
The Network and Information Systems (NIS) Directive was introduced by the European Union in 2016 to enhance the cybersecurity and resilience of critical infrastructure across member states. Under the directive, NIS government bodies across the EU are responsible for ensuring these cybersecurity standards are applied consistently.
The Directive came into force on May 10, 2018, and required EU member states, including the UK, to transpose its provisions into national law. In the UK, this was accomplished through the NIS Regulations of 2018.
The NIS Directive targets sectors critical to society’s functioning, collectively referred to as Operators of Essential Services (OES) and Relevant Digital Service Providers (DSPs). OES includes sectors like energy, transport, water, health, and digital infrastructure, while DSPs cover online marketplaces, search engines, and cloud computing services.
Key NIS Directive Requirements
Under the NIS Regulations 2018, in-scope entities must adhere to specific cybersecurity measures and report incidents that could affect the continuity of their essential services. The key requirements are as follows:
- Risk Management: OES and DSPs must take appropriate and proportionate technical and organizational measures to manage risks that could affect the security of the network and information systems critical to the service they provide.
- Incident Prevention and Minimization: These entities must also take appropriate measures to prevent and minimize the impact of incidents on the security of their systems, ensuring that essential services can continue even if an incident occurs.
- Incident Notification: OES and DSPs must notify the relevant Competent Authority about any incident that significantly impacts the continuity of the essential services they provide. This requirement is crucial to maintaining national resilience, as timely reporting allows for coordinated responses to cybersecurity incidents.
Introduction of NIS 2
In response to evolving cybersecurity threats and the increased importance of network information systems, the NIS security directive was introduced by the EU as an update to the original NIS Directive. NIS2 expands the scope of sectors covered, introduces stricter enforcement mechanisms, and strengthens cooperation between member states. While NIS1 primarily targeted OES and DSPs, NIS2 covers a broader range of sectors and introduces more granular requirements for risk management, incident reporting, and supply chain security.
NIS2 also increases accountability, as it places more stringent obligations on management bodies of companies and imposes higher penalties for non-compliance. It represents the EU’s ongoing commitment to strengthening cybersecurity resilience, particularly as cyber threats become more sophisticated and widespread.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Key Changes and Requirements under NIS 2
The NIS 2 Directive brings several critical updates to enhance cybersecurity across the EU:
- Expanded Scope: NIS 2 broadens coverage to include more sectors such as healthcare, finance, space, and public administration, now covering both essential and important entities.
- Stronger Risk Management & Incident Reporting: Organizations must implement stricter risk management practices and report incidents within 24 hours of detection, ensuring quicker responses to threats.
- Supply Chain Security: Companies are required to ensure their suppliers also meet cybersecurity standards, addressing risks from third-party vulnerabilities.
- Management Accountability: Senior management is now directly accountable for ensuring compliance with NIS 2, including overseeing risk management and reporting incidents.
- Enhanced Cooperation: NIS 2 strengthens EU-wide cooperation, requiring member states to share cybersecurity information and collaborate on cross-border threats for a more unified response.
The Role of Competent Authorities in NIS
The EU’s NIS Directive (Network and Information Security Directive), introduced in 2016, was Europe’s first major step toward securing critical infrastructure against cyber threats. Each Member State had to appoint competent authorities to monitor essential services like energy, finance, healthcare, and transport. These authorities were tasked with ensuring cybersecurity standards were met, but the original NIS Directive quickly showed its limitations as the cyber threat landscape evolved, with inconsistent oversight across sectors and countries.
Enter the NIS2 Directive. This updated directive turbocharges the role of competent authorities, giving them new powers to ensure compliance and a more comprehensive mandate to conduct inspections, audits, and security scans. NIS2 requires entities to hand over details on cybersecurity practices, and authorities can now take firm action if standards aren’t met: issuing warnings, making public announcements of non-compliance, or even temporarily suspending managers in serious cases. These new tools are designed to push essential services to be not only reactive but proactive about security.
NIS2 also ramps up EU-wide coordination. Competent authorities now share insights and work more closely across borders, tightening cybersecurity across interconnected sectors. By giving authorities sharper teeth and demanding a coordinated response, NIS2 is Europe’s bold move toward a united, resilient dig
Deadlines and Milestones for NIS 2 Compliance
The NIS 2 Directive is set to significantly impact cybersecurity regulations across the European Union, and the most crucial upcoming milestone is the October 2024 deadline. By this date, all EU member states must transpose the directive into national law, ensuring that their legal frameworks align with the strengthened security measures for essential and important sectors. This will set the stage for more robust cybersecurity practices, requiring companies to implement enhanced security and reporting measures in line with NIS 2’s broader scope.
After the October 2024 transposition deadline, organizations will have to begin complying with the directive’s requirements, including faster incident reporting (within 24 hours) and more comprehensive cybersecurity governance structures. By 2025, businesses will be expected to implement risk management measures and technical security standards, with regular audits and compliance checks becoming more frequent. This will push companies to build resilient NIS systems, fostering stronger protection across critical sectors such as healthcare, energy, and transport.
Looking further ahead, 2026 will likely see full integration of NIS 2’s provisions into business operations, with non-compliant entities facing penalties. Ongoing compliance, updates to security measures, and audits will continue well into 2027 and beyond, ensuring the EU’s cybersecurity posture evolves alongside emerging risks.
Upcoming Key Dates
October 2024: Deadline for transposition of NIS 2 into national law by EU member states.
- 2025: Organizations to begin implementing risk management measures and technical security requirements, with compliance checks starting.
- 2026: Full integration of NIS 2 requirements into business operations, with audits and penalties for non-compliance.
- 2027 and beyond: Ongoing updates to the directive, compliance assessments, and evolving cybersecurity requirements.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days