EU’s NIS2 Directive Expansion of Cybersecurity Requirements
The (European Union’s) EU’s NIS2 Directive has officially come into full effect, significantly expanding the cybersecurity requirements for organizations across Europe. This new directive builds on its predecessor, NIS1, by widening the scope to include 15 sectors, such as manufacturing, digital services, postal services, and online markets. Previously, NIS1 focused only on essential services like energy, transport, telecoms, and banking. Now, a much broader range of organizations, over 160,000 across Europe, must comply with strict cybersecurity measures covering risk management, incident response, and supply chain security.
The EU’s NIS2 Directive, which went into effect in January 2023, has allowed EU member states until October 17, 2024, to incorporate the directive into national law. Companies providing services within the EU, including those outside the bloc, must also meet the new cybersecurity standards. This new regulation is designed to strengthen the cybersecurity resilience of essential and important service providers, offering better protection against rising cyber threats.
Compliance Challenges and Financial Impact
The stricter requirements under NIS2 have introduced significant costs for organizations trying to meet compliance standards. Frontier Economics predicted that businesses in the EU could spend up to €31.2 billion annually on implementing the necessary cybersecurity measures. The costs include hiring cybersecurity professionals, investing in new technologies such as endpoint detection and response (EDR), and updating internal processes to improve incident detection and response.
For many organizations, the financial burden is substantial. Tim Wright, a partner and technology lawyer at Fladgate, pointed out that Chief Information Security Officers (CISOs) are facing increasing pressure to expand their budgets to cover the costs of compliance, with some estimates suggesting cybersecurity spending may need to increase by up to 22%. However, companies already certified with ISO 27001 are better positioned, as approximately 70% of NIS2 requirements are already met by this certification.
Global Influence and Long-Term Implications
Although the NIS2 Directive primarily affects the EU, its impact is expected to resonate globally, especially in sectors like energy and healthcare. The directive could become a global standard for cybersecurity best practices, much like how GDPR reshaped global privacy laws. While NIS2’s influence may not be as broad as GDPR, it is likely to have a significant effect on critical sectors that require robust cybersecurity frameworks.
Experts also believe that businesses should prepare for similar regulations in other regions. For instance, in the United States, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is expected to come into effect in 2025, potentially mirroring many of NIS2’s requirements. According to Del Heppenstall, head of cyber at KPMG UK, businesses should adopt a unified control framework to ensure compliance with multiple regulations, reducing costs and improving efficiency.
The EU’s NIS2 Directive marks a major step forward in enhancing cybersecurity resilience across the EU, reinforcing the need for global industries to stay ahead of evolving cyber threats.
