The term NIS, which is usually also referred to as NIS1 stands for “Directive on Security of Network and Information Systems”, which was adopted by the EU in 2016. Meanwhile, the NIS Directive has been revised and the NIS2 version has been adopted by the European Parliament.
The directive was developed to improve the protection of critical infrastructure within EU member states, to prevent or detect cybersecurity incidents, and respond appropriately. The goal of the directive is to raise cybersecurity to a new level across the EU.
It harmonizes standards, strengthens risk management, introduces reporting requirements, and tightens fines to provide more comprehensive and effective protection for critical infrastructure and digital services.
NIS2 aims to strengthen cybersecurity for essential infrastructures across the EU and protect them against cyber threats of all kinds. In doing so, the directive addresses current cybersecurity challenges, particularly about the increasing digitization of services and the growing use of IoT devices. The aim is to improve cybersecurity resilience and responsiveness to protect both the public and private sectors in the EU. This is to ensure that vital infrastructure continues to function in times of crisis.
The directive establishes basic minimum requirements for the security of networks and information systems and requires all EU member states to standardize policies and measures to ensure cybersecurity.
Among other things, entities affected by the directive must take appropriate risk management measures for the security of their network and information systems and comply with corresponding reporting obligations.
Since this is a directive and not a regulation, it does not automatically apply in all EU countries but first must be converted into national law by all EU member states.
The NIS2 Directive represents an updated version of the original cybersecurity directive, NIS1. It replaces the previous directive and sets new minimum requirements for the security of critical infrastructure within the EU.
In Austria, the NIS1 Directive was implemented in 2018 as the Federal Act on Ensuring a High Level of Security of Network and Information Systems (Network and Information Systems Security Act – NISG). This regulation mainly applies to companies that belong to the critical infrastructure or operate digital services such as online marketplaces, search engines and cloud computing services.
The introduction of NIS2 expands the foundation of the original directive. The expanded NIS2 directive was published in 2023 and requires all EU states to implement the requirements into national law by October 17, 2024.
The NIS1 directive presented by the EU Commission in 2016 was formulated too vaguely in many points and was therefore implemented very inconsistently in the various member states. For example, there were differences in the classification of critical infrastructure. Moreover, the list of providers affected by the directive varied from country to country.
In addition, there were no rules for monitoring implementation and no specific requirements for the disclosure of cyber risks. Another weakness of the NIS1 directive is related to insufficient cyber resilience and the lack of coordinated crisis responses. Against this backdrop and considering the growing threat as well as increasing cybersecurity requirements, the European Commission decided to revise the NIS Directive, whereupon the NIS2 Directive was enacted by the European Parliament on January 16, 2023.
The NIS2 directive extends the scope of application compared to the previous legal situation. This means that some companies or authorities that were not previously affected by IT security regulations may now be regulated after all. Therefore, it is recommended for all companies or authorities to deal with the NIS2 regulations at an early stage to be able to react to possible effects or changes in a timely manner.
Large and medium-sized companies from 14 sectors are affected by the NIS2 directive:
The number of “Essential Entities” classified as critical has been increased to eleven sectors in the new directive, while the “Important Entities” comprise seven sectors. This means that a total of eighteen NIS2 sectors are affected.
The NIS2 regime applies only to medium and large companies, without considering thresholds for facilities or similar criteria. Similarly, certain companies are also regulated regardless of size, such as parts of the digital infrastructure or public administration.
The classification of a company as large, medium, or small depends on the following factors:
Regardless of classification by company size, the NIS2 Directive also applies to those providers who provide the following services:
The NIS2 directive clarifies that responsibility for cybersecurity and the prevention of IT security incidents must lie at the top management level in every company. This means that senior management must ensure that all risk management measures are followed. Likewise, management can be held personally liable if these requirements are not met. To this end, supervisory authorities are given powers to conduct on-site inspections and safety reviews and to take effective, proportionate, and dissuasive measures.
This applies to public administration, regardless of whether national rules on the liability of civil servants or other employees provide otherwise.
By October 18, 2024, at the latest, the NIS2 Directive must be transposed into national law in all EU member states.
The aim of the regulation is to strengthen the cybersecurity of key facilities. EU member states must ensure through their national legislation that the leadership teams of key institutions implement and monitor cybersecurity risk management measures and can be held accountable for breaches.
In addition, all EU member states must ensure that leadership teams participate in regular training and encourage key institutions to provide regular cybersecurity training to their staff to identify, assess, and manage cybersecurity risks and understand their impact on the services provided by the organization.
The directive contains the following risk management measures that must be fulfilled by the companies and institutions concerned:
In addition, supervision and cooperation between authorities and companies will be intensified, and a reporting obligation will be introduced. Within 24 hours of detecting a cybersecurity incident, immediate notification is required. If necessary, an update and preliminary assessment will be conducted by the supervisory authority within 72 hours of the initial notification. A final report must be submitted no later than one month after the initial notification of the incident. The reporting requirement is intended to improve transparency and coordination to effectively combat cybersecurity incidents.
Compared to NIS1, the NIS2 Directive brings significant extensions in terms of responsibility, obligations, and supervision within the EU:
Sectors: The number of “Essential Entities” classified as critical increases to eleven, and the “Important Entities” have been expanded to seven sectors.
Affected entities: The regulation affects large and medium-sized companies. In addition, some operators are regulated regardless of size, including parts of digital infrastructure and public administration.
Cyber security: Requirements for operators and EU member states will be increased, including cyber security supply chains.
Cooperation: Oversight and cooperation between authorities and operators will be intensified, and European jurisdiction will be clarified.
Sanctions: Penalties and enforcement measures will be significantly increased, with maximum fines of up to €10 million, or two percent of the company’s total annual global turnover.