NIS2: Cybersecurity Becomes Law in Europe

NIS2 builds on the original directive to strengthen cybersecurity standards, ensuring greater protection for EU networks and increased accountability for organizations.

First introduced in 2016, the original Network and Information Systems Directive (NIS) was the first cybersecurity legislation designed to increase the cyber resilience of European Union Member States. It was the first to identify essential service operators in the European Union (EU), enforce the necessary measures to protect data and networks and make incident reporting a formal and central requirement.

A Good First Effort

While NIS was celebrated as a good initial effort to establish standards and requirements for the protection of EU networks, it was the inconsistent implementation of the original directive that signaled the need for more definition and greater guidance. This led the European Commission to quickly begin work on the directive’s second version, a plan which was introduced in 2020 and became law in 2023.

NIS2 provides legal measures designed to boost the overall level of cybersecurity measures across the EU by ensuring Member States' preparedness by requiring them to be properly equipped. It also establishes cooperation among all the EU Member States by setting up a Cooperation Group to support and facilitate strategic cooperation and the exchange of information. Finally, it is meant to create a culture of security across all sectors that are important or essential to the EU economy and for European society in general, as it relies more and more heavily on Information Communication and Technology (ICT) organizations.

Improvements in NIS2

NIS2 more than doubled the list of covered industry sectors from the original seven to a total of 15 and differentiated between high criticality sectors and essential services. These are identified as essential entities (EE), including Energy, Transport, Finance, Public Administration, Health, Space and Water Supply as well as Digital Infrastructure and Important Entities (IE), including Postal Services, Waste Management, Chemicals, Research, Foods and Manufacturing.

Enforcement requirements are also significantly increased as are the repercussions of non-compliance, including heavier fines and legal ramifications not only for involved companies but also personally for their C-Level management team members. For EEs, Member States must impose a maximum fine level of €10,000,000 of 2% of the entity’s global annual revenue. For IEs that maximum is €7,000,000, or 1,4%.

These requirements include new steps to improve risk management, greater corporate accountability for security lapses, better participation in the effort to ensure business continuity between affected organizations, and prompt, comprehensive reporting obligations for those organizations.

The NIS2 Directive Becomes Law

EU Member States were each required to transpose the NIS2 Directive into national law by October 17, 2024 to ensure a consistent high level of cybersecurity provisioning across the EU, which was the main shortcoming of the original Directive.

As reported in a press release on November 28, 2024, the European Commission opened infringement procedures, sending a letter of formal notice of non-compliance to 23 of the 27 Member States, among which were Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden.

These non-compliant Member States have two months to submit their responses, complete their transposition and notify the measures implemented to the Commission.

SonicWall’s Commitment to Supporting NIS2 Compliance for Impacted Organizations

While possible penalties for Member States that remain non-compliant after the two months granted have not been announced, the European Commission takes NIS2 implementation very seriously. It is therefore advisable for those organizations impacted by it to begin to implement whatever measures are necessary to achieve and maintain their own compliance now.

Since many impacted organizations will not be familiar with the steps necessary to establish such compliance, SonicWall has taken significant action to prepare our partners to provide the necessary guidance, consulting and technical implementation and support services needed to not only establish compliance, but to ensure ongoing compliance for the long term.

SonicWall provides the cybersecurity solutions necessary to achieve NIS2 compliance, which helps to secure organizations while helping them stay compliant. To learn more about how to engage SonicWall solutions to help you fulfill your NIS2 obligations, read our informative SonicWall’s Compliance Guide to NIS2 or reach out to us directly.