NIS2 Regulation Comes into Force: EU Cybersecurity Market set for Growth

The European Union (EU) published the NIS 2 Directive setting new standards for cybersecurity measures, while regulating more sectors under the new directive, which include Small and Medium Enterprises (SMEs) with more than 50 employees. Prior to NIS 2, the 2016 Network and Information Security (NIS 1) Directive was the first European legislation on cybersecurity across member states. Yet, the directive suffered from a number of shortcomings, including unclear expectations and ambiguous classification of entities that were the subject to the directive. For example, while critical sectors fell under the directive, some member states classified healthcare providers as critical, while others excluded large hospitals from the directive. The original NIS targeted seven critical sectors, namely health, transportation, banking and financial markets, digital infrastructure, water supply, energy, and digital service providers. The new Directive identifies an extra eight sectors: providers of electronic communications and networks, social media platforms and data centers, wastewater and waste management, the space sector, critical product manufacturing, postal services, the food & beverage industry, and public administration. Regarding the size of entities covered under the Directive, NIS 2 applies to critical firms that employ more than 50 people and with annual turnover exceeding €10 million annually. In addition, firms that provide the same or similar essential services to six or more EU member states are also defined as critical.

NIS 2 further imposes a new approach to incident reporting: critical entities must submit an initial report within 24 hours of becoming aware of an incident, and a detailed report within 1 month of the incident. The report must include: 1) the number and proportion of users affected by the disruption; 2) the duration of the disruption; and 3) the geographical area affected by the disruption. The Directive also expands government oversight with Chapter 6 of the Directive establishing that member states “shall ensure that the competent authorities have the powers and means to conduct on-site inspections of the critical infrastructure and the premises that the critical entity uses to provide its essential services.” It stresses that relevant national authorities should be able to “conduct or order audits in respect of critical entities.”

Members have another 21 months until October 2024 to incorporate the provisions of the Directive into their national law. Yet they could do this earlier, and those countries with advanced cybersecurity infrastructure might decide to speed up the process. This means organizations and vendors need to be prepared for the shifting regulatory environment that leans toward more oversight and possible penalties under Article 22 of Chapter 6 of NIS 2. The Directive will impact more than 160,000 entities in Europe by compelling them to strengthen their cybersecurity risk and incident management measures. This means organizations should review whether they fall within the scope of the directive, and cybersecurity vendors should prepare to assist clients to meet their regulatory obligations. The wide scope of the Directive and the inclusion of new critical infrastructure means more sectors will have to comply and set up roadmaps to implement the measures. The Directive calls for “fines of a maximum of at least €10 million or of a maximum of at least 2% of the total worldwide annual turnover” of entities, meaning that both firms and vendors will need to devise effective strategies to avoid the heavy penalties. This will contribute to new business for security vendors, but the extent of the penalties and their interpretation is yet to be known, as heavier fines seem to be directed toward larger enterprises that already spend more than smaller organizations on cybersecurity.   

The Directive seeks to go beyond the initial NIS Directive by encouraging the implementation of cybersecurity measures that go beyond baseline requirements, indicating that the era of lax cybersecurity regulation is over. The low size cap threshold of 50 employees and the expansion of sectors in the Directive signal that cybersecurity measures are now evolving to become typical business considerations for organizations, regardless of their size and sector. This also means cybersecurity vendors, especially those that provide solutions to critical infrastructure, will become permanent players, with services in constant demand. This will lead to increasing business opportunities, but also increasing competition among vendors. Cybersecurity vendors that display broad portfolios indicating breadth of knowledge and target their solutions to specific sectors will gain the upper hand in the market.