The proposed expansion of the scope of NIS2, which would effectively require more entities and sectors to adopt measures, should help improve the level of cybersecurity in Europe in the long term. The main objective of cybersecurity regulation is precisely to ensure that organizations critical to the functioning and economy of the state implement preventive measures to strengthen their cybersecurity and, consequently, the cybersecurity of society as a whole.
This is a key step in preventing, detecting, and mitigating the impacts of potential cybersecurity incidents. This requirement, represented by the obligation to implement so-called security measures, is the central purpose of the Cybersecurity Act, and the same applies to the NIS2 Directive. The original NIS Directive only stipulated in general terms that obligated entities must ensure appropriate and proportionate technical and organizational measures to address risks and prevent incidents. The proposed NIS2 Directive goes into greater detail.
Compared to the current NIS Directive, the NIS2 Directive will expand the scope of entities subject to its mandatory regulation. These entities can be classified into two regimes – “essential” and “important.” Entities falling under the essential regime are intended to be the most critical entities protected under the regulation. The main difference between the essential and important regimes lies precisely in the security requirements, which should be stricter for the essential regime.
Organizations covered by the NIS 2 Directive will be required to implement security measures. This obligation applies to organizations regardless of whether they fall under the essential or important regime.
NIS 2 Annex
I II
Large organization Basic Critical
Medium organization Critical Critical
Table source: https://osveta.nukib.cz/mod/page/view.php?id=2617
The NIS2 Directive emphasizes the responsibility of the management of individual organizations to approve and implement security measures to mitigate cybersecurity risks. Part of these requirements is that the management of organizations is obligated to personally complete cybersecurity training and to encourage their employees to participate in such training as well.
Each Member State will subsequently have the opportunity to elaborate on its own and/or additional security measures in its legislation.
