Understanding the NIS2 Directive

Summary: The NIS2 Directive expands cybersecurity duties, covering more sectors to boost resilience, consistency, and awareness.

How can the best interests of the public be protected when more and more crucial pieces of public infrastructure depend on technology?

That’s the core question addressed by a new piece of EU legislation set to become law in Ireland later this year. From government services to public utilities to hospitals, banks and more – the world has shifted to embrace technology, and while this has brought enormous efficiencies, it has also created new kinds of risks for society.

To help mitigate these risks, the Networks and Information Systems 2 (NIS2) directive will introduce new obligations around cybersecurity on Irish companies.

This directive became EU law in January 2023 and will become Irish law as well when it comes into force in October 2024. It’s important that company directors, chief information officers and security specialists everywhere have a good grasp of what this will mean.

The first NIS directive (NIS1) was written in 2016 and introduced into Irish law in 2018, but six years is a long time in cybersecurity and a lot has happened since then. There is now broad support for a new version of the directive, one that aims to establish higher levels of cybersecurity standards.

So what is this NIS2 directive, and what does it mean for you? What does it do that the previous version didn’t? The new and updated directive aims to ensure that Europe’s essential digital infrastructure in areas such as banking, transport, health and energy is kept safe from attack.

It recognises that some activities and some kinds of infrastructure are more important than others, with some crucial to keeping society going. Because of this, the companies who run them need to be held to high standards of security. The main difference between NIS1 and NIS2 is that this new version applies to more companies than before, in more sectors. Even if a business wasn’t subject to it NIS1 before, it might now be subject to NIS2.

First goal of the NIS2 Directive - cast a wider net

The new and updated version of the directive has three main goals. The first is to increase cyber resilience across the EU, bringing more types of companies in more sectors under its jurisdiction than before.

The sectors covered by the NIS2 directive are as follows: healthcare, banking and financial market infrastructure, water supply, digital service providers, transport, digital infrastructure, energy, food, postal and courier, space, digital services, such as social networking services platforms and data centre services, manufacturing of certain critical products, providers of public electronic communications networks or services, public administration and finally waste water and water management.

For NIS2, a further difference is that member states won’t be able to tweak the legislation before enacting it. The general idea is to update the law to reflect that across Europe, society is becoming more dependent on IT, and the rules around protecting the public need to reflect that dependence.

Second goal of the NIS2 Directive - reduce inconsistency

The second is to reduce inconsistencies in the sectors already covered by the first NIS directive, adding new sectors and bringing more public and private entities under its umbrella.

This is about enforcing uniform reporting responsibilities, improving supply chain resilience and generally tidying up the loose threads exposed by the implementation of the old legislation originally written in 2016.

Third goal of the NIS2 Directive - raise awareness

The third goal is raising the level of awareness across the EU of the importance of cybersecurity and improve member states' abilities to defend themselves. This goal aims to improve the way the EU prevents, handles and responds to large scale cybersecurity incidents.

It also introduces mandatory incident reporting and aims to make companies take the issue of ransomware and network incursions much more seriously.

“The revised NIS2 directive covers more sectors and companies based on an assessment of their criticality for the EU economy and wider society. One of the main things it aims to achieve is a kind of harmonising of the rules generally enforced across Europe,” said Stephen Corrigan, Solution Sales Principal for Vodafone Ireland.

The thinking is that if different countries enforce different rules, then the differences could end up becoming a significant barrier to progress.

“But we recognise that many C-suite professionals and even cybersecurity experts are extremely busy people, and it can be a challenge to stay on top of best practice for every aspect of the technology they rely upon. It’s our job to be able to offer close partnerships where we can help shoulder this challenge together, either directly or with the help of partner businesses we think are global leaders in these areas,” said Corrigan.

A significant aspect of any legislation designed to change behaviour are the penalties that can be imposed on companies and organizations that don’t comply. In the case of the NIS2 directive, the range of sanctions allowed for are quite varied.

They include binding instructions, an order to implement the recommendations of a security audit, an order to bring security measures into line with NIS2 requirements and administrative fines of up to $10 million, or two per cent of the offender’s total annual worldwide turnover, whichever is higher.

These are heavy penalties, but it’s important to note that NIS2 doesn’t just represent a logistical hassle, in the form of more regulations to observe. It also offers an opportunity.

“Just like when the GDPR was introduced, complying with NIS2 is probably not the most welcome item on your to-do-list. But the expression ‘every disadvantage has its advantage’ is not a cliché in this case.

You can lament the hard work and expenses, but you can also see it as a golden opportunity to take your cybersecurity to the next level,” said Tim Timmermans, Chief Information Security Officer for Vodafone partner ON2IT.

“Yes, NIS2 increases the cybersecurity requirements that must be met, but you are probably already compliant with some of these. The flip side to these additional requirements is that the NIS2 directive also states that companies will get help from the government when, for example, they are hit by a ransomware attack.”

Together, Vodafone and ON2IT can help advise Irish companies on the best policies and procedures to put in place to ensure NIS2 compliance, as well as provide the tools to make incident handling and network security much more easily handled.

“As an organization, you will need to be able to proactively demonstrate compliance with NIS2 regulations. Practically speaking, in order to comply with the NIS2 measures, you need a 24/7 security operations centre (SOC). Therefore, you will have to make a choice; do I keep this SOC in-house, or do I outsource it?” said Timmermans.

“We think a good overarching policy is a good starting point for making this important decision, and we’re happy to partner with Vodafone to help create one with you.”

From Broadband to Business Apps, learn more about the products and solutions to help you reimagine your business.

Want to discover more?

Back to top back to top icon

Get in touch

Find out what we can do to help your business reach its full potential.

1800 855 696

Close message
    5GCreated with Sketch. acceleration-system add-icon add-ons-boosts-midadd-ons always-connected icon-app-storearrow-left at-symbol auto-top-up basket-changebill-or-report-midbill-pay-phones-icon4C91DB73-75FE-4565-8F69-BC6C675B1EA1bintoaster-black block-system blockbonusbroadband-darkbroadband-iconbroadband-lightbroadband-new broadband-or-wifi-1 broadband-or-wifi-midbroadband bundles-midbusinessCalendarCreated with Sketch. calendarIcons+Indicators / System-Icons / landline_or_call / #333333Created with Sketch. callCallsCreated with Sketch. cameracancel-mid carer-system case-study-midcasescelebrate chart-line-midchat-midchevron-down-system chevron-downchevron-left chevron-rightchevron-up-system chevron-upchromecast clock-new clock-or-timedclock close-smallclosecollectionscomment-midcommunity-or-foundation-midcommunitycompleted-midconnected-devices-midconsultant contractconverged-proposition-midcredt-top-up dark-sync DataCreated with Sketch. Icons+Indicators / System-Icons / data / #333333Created with Sketch. data-middatadeals-middelete-bin delete-icondelivery deliveryNew device dislike document-middownload-bicolor Downloadedit-icon editemail-notificationengineer-miderror-circle-system-red error-circle-system error-circleeSim data eyefacebookfilters fixed-line-midgame-console generic-tariff-plan-midGift Icon Gift gogreen-tick heart help-midhelp-support-info-circlehidden-password home-midhome-phone info-circle-grey info-circle-mid info-circle international-system landline-or-call-midletterslike lock-sslmail-new-midmenumessagemfa-email-sms-notificationminutes-sms-midmobile-2023 mobilemobile-lightmobile-midmobile-SWmobile-vtv mobilemy-vodafone-new my-vodafone-or-my-profile-midmy-vodafoneneed-help-midnetwork-signal-midnotification-new object-type-default onenumberonline ordersoutofcompany payg-midpayg-phones-iconF86C85F6-FFFF-4C62-8F9A-45D7251FC836payment-midpencil phone-ai_exportphone-icon-card phone-mini-icon photosplaceholderplay-circle play-storeplayplus-new plusportals-for-videos red-warning reloadreportreturn-product-midroaming-midroamingsearch-close search-device-guides search-shop search-support search-system searchsecond-step-desktop second-step security-midsettings-bicolor settings-midroaming shopping-trolley-midshoppingsign-up-icon signed-in Sim card sim-midsim-swap-midsimIcons+Indicators / System-Icons / sms / #333333Created with Sketch. sms-or-text-midsms-text-mid sms-text spinnersquaresssl-lock step-1 step-2 step-3 super-wifi-selected super-wifi-un-selected superwifi sync tablet technologysquares theft-system third-step-desktop third-step three-points tick-circle Tick-icontick-simpletick-outline-system tick-outline tick-simpletick-thankyou-pageto-do-list info-circle tobitop-up-2021top-up-icontop-up-midtopup tothiscompany travellers-info-midroaming tv-midtv-new tv-vtv block twitterup-arrow upgrade-midv-sim-and-device valuevf-tv-iconvisible-password vodafone-business-inverse vodafonevodafone-store-midvodafone-tv vodafone voice-of-vodafone-alerts-midVTV warning-hi-dark warning-midwarning-orange warning-red warning-system watch-tick watch-with-tick watch web-protection-red