Comparative Analysis of the NIS Directive and the NIS2 Directive
The NIS Directive and the NIS2 Directive are both key pieces of legislation in the European Union's cybersecurity strategy. However, the NIS2 Directive, proposed in December 2020, represents a significant evolution from the original NIS Directive. The following are some key points in which both regulations can be compared to have a better understanding of both of them.
The NIS Directive was the first piece of EU-wide legislation on cybersecurity, and it provided legal measures to boost the overall level of cybersecurity in the EU. The Directive applied to Operators of Essential Services (OES) in sectors such as energy, transport, banking, healthcare, and digital infrastructure (e.g., internet exchange points, DNS service providers, and top-level domain name registries), and to Digital Service Providers (DSPs), which included online marketplaces, online search engines, and cloud computing services.
The NIS2 Directive expands the scope significantly to cover a wider range of entities. In addition to OES and DSPs, the NIS2 Directive also applies to important entities in sectors like postal and courier services, waste management, the energy industry, and manufacturing of certain pharmaceutical or chemical products. It also covers new digital services such as social networking services, online intermediation services, and cloud computing services.
Security and Incident Reporting Requirements
Under the NIS Directive, OES and DSPs were required to take appropriate security measures and to notify the relevant national authorities of serious incidents.
The NIS2 Directive introduces more stringent security and incident reporting requirements. Entities are required to manage cyber risks, implement resilience measures, and report significant cyber incidents to national authorities within 24 hours. The NIS2 Directive also introduces requirements for entities to report any significant cyber threats that could potentially affect them.
Supervision and Enforcement
The NIS Directive required each EU member state to designate one or more national competent authorities for the implementation and enforcement of the Directive.
The NIS2 Directive strengthens the supervisory measures and enforcement provisions. It introduces stricter penalties for non-compliance, with fines of up to 10 million euros or 2% of the total worldwide annual turnover of the preceding financial year. The NIS2 Directive also provides for stronger supervisory powers for national authorities, including the power to conduct audits and to issue binding instructions.
Both the NIS Directive and the NIS2 Directive emphasize the importance of information sharing for cybersecurity. However, the NIS2 Directive goes a step further by introducing requirements for entities to share cyber threat intelligence and to participate in information sharing groups.