Russia’s invasion of Ukraine and the use of hacker attacks for warfare have given a boost to the development of EU cyber security legislation. This applies to the NIS2 Directive, which is an extension of the Network and Information Security Directive adopted in 2018.

What is NIS2?

The NIS Directive covers companies working with critical infrastructure and requires these companies to take specific cyber security measures. Failure to comply with the forthcoming NIS2 Directive could result in fines for the companies concerned. Sectors covered by NIS2 include: digital infrastructure, public administration, couriers, waste management, manufacture of other medical equipment, computers and electronics, machinery, digital service providers, etc. The Directive places heightened obligations on these sectors in terms of risk management and reporting to authorities.

When is it expected to be adopted?

The previous expectation for NIS2 was adoption during 2024. According to Morten Løkkegaard, chief negotiator on the NIS2 directive and EU politician for the Left, it is expected to be adopted as early as the beginning of 2023 (from interview with computerworld.dk).

Influence legislation

From 16 March to 25 May, the European Commission has opened consultation on the future cyber security legislation for the EU, the Cyber Resilience Act. This consultation allows businesses and citizens to make suggestions and comments on cyber security legislation. Read more on the European Commission website.

It is a good idea for companies to prepare and be clear about the security measures they should take, even if the NIS2 directive is not adopted tomorrow. I-Trust has many years of experience in cyber security and offers tools to assess the status and risks of companies.