by Anastasios Arampatzis
Back in 2016, the European Union published the Network and Information System (NIS) Directive to confront the dense and advanced cyber-attacks against critical infrastructures. With the NIS Directive, EU wanted to direct its members to build requirements and rules regarding their national and cross-border cybersecurity capabilities. Although the plan was great, its implementation proved to be rough. The result was security fragmentation across the public and private sectors, which led to inefficient cybersecurity.
During the last few years, more powerful and destructive cyber-attacks put again EU’s cyber health at risk. The catastrophic results that we have witnessed, confirmed the hard way that EU’s cyber defense needs at least a lifting. In 2020, the decision was taken to revise the Directive, to “further strengthen overall cybersecurity in the Union”. What changes will the new Directive, NIS2, bring?
The NIS Directive
The NIS Directive, which came into force in August 2016, provided norms about the minimum security measures the national Operators of Essential Services (OES) and Digital Service Providers (DSP) should have, and how these shall be supervised. The desired outcome was to improve the cybersecurity capabilities and cooperation within the EU, through proper risk management and incident reporting procedures among key OESs and DSPs.
A National Cybersecurity Strategy, a Computer Security Incident Response Team (CSIRT), and a National Competent Authority (NCA) were set by every Member State; these mechanisms exchange risk information, cooperate on security incidents, and assure that the rules are duly applied by the national entities. Non-EU entities operating in the EU need to comply with the Directive as well.
Operators of Essential Services (OES)
The directive assists the Member States to define their OESs, based on specific criteria. Any private and public sector which relies on information networks can be an OES: utilities, transport, healthcare, but also public administrations, food sector, chemical and nuclear industry, and civil protection are some of them.