Why was the adaptation from NIS to NIS 2 necessary?

The world of cyber security requires regular adjustments, updates and improvements to security policies and laws to keep pace with the rapid developments and increasing complexity of cyber threats. The EU Directive on the security of network and information systems, known as NIS (Network and Information Systems), was an important step in strengthening the resilience of critical infrastructures to cyber attacks.

But why was it necessary to adapt NIS to the NIS 2 Directive? Here you will find the background, objectives and expectations associated with the introduction of NIS 2 and how these changes are intended to contribute to strengthening cyber security in the EU.

The origins and limits of the NIS Directive

The NIS Directive was introduced in 2016 and was the first EU-wide legislation focussing specifically on the security of network and information systems. Its aim was to ensure a high common level of security for network and information systems across the EU. This was to be achieved by promoting national cybersecurity capabilities, strengthening cross-border cooperation and introducing security requirements for operators of essential services and digital service providers.

Despite its progress, the limitations of the NIS Directive soon became apparent. The dynamic nature of cyber threats, the increasing networking and dependence on digital systems and the discovery of security vulnerabilities in new areas of technology made it essential to revise and update the existing directive.

Reasons for the update to NIS 2

The need for the update from NIS to NIS 2 was driven by a variety of factors that are becoming increasingly relevant in the ever-evolving digital world. While the original NIS Directive laid a solid foundation for cybersecurity within the EU, the rapid pace of technological development, the increasing digitalisation of society and the sophistication of cyber-attack techniques necessitated a more comprehensive and flexible piece of legislation. Below we look at the key elements that have made the update to NIS 2 not only sensible but essential, starting with the expanded threat landscape that characterises digital security today.

Extended threat landscape

The cyber threat landscape has changed and evolved significantly since the introduction of the NIS Directive. Cyberattacks have become more sophisticated, more frequent and more damaging, requiring a stronger and more flexible response. NIS 2 aims to address these developments by improving resilience and responsiveness to cyber threats.

Protection of critical sectors

The list of sectors that are considered critical infrastructure has expanded. NIS 2 recognises that more sectors are essential for maintaining vital social and economic functions. These include, for example, the healthcare sector, water supply and digital infrastructures. The extension is intended to ensure that these sectors are subject to appropriate protective measures.

Harmonisation and clarity

Another aim of NIS 2 is to harmonise cybersecurity requirements across the EU. The original NIS Directive left member states considerable room for manoeuvre in its implementation, resulting in a patchwork of regulations. NIS 2 aims to achieve greater harmonisation in order to ensure uniform security standards and facilitate the cross-border exchange of information.

Strengthening enforcement mechanisms

NIS 2 introduces stricter enforcement mechanisms and higher penalties for non-compliance. These measures are intended to emphasise the seriousness with which the EU views cyber security and ensure compliance.

NIS adaptation as a necessary response to challenges

The update from NIS to NIS 2 was a necessary response to the ever-changing challenges in the cybersecurity landscape. By expanding the scope, harmonising the requirements and introducing stricter enforcement mechanisms, NIS 2 helps to strengthen the EU’s resilience against cyber threats. This is a crucial step to ensure security and trust in digital services and infrastructures in an increasingly interconnected world.