This post is also available in: heעברית (Hebrew)

While cyber criminals are constantly changing their tactics, legislation and standardization often take years, leaving law enforcement efforts without substantial countermeasures. Now, Europe is tightening its cybersecurity directives against the backdrop of growing cyber threats. The European Union has agreed to bring in tougher cybersecurity rules within the framework of the Network and Information Security (NIS2) Directive.

One of the main concerns is the rising number of cyber attacks on supply chain networks. Growing interconnectedness and rapid digitization mean more sectors are becoming systemically important to defend from cyber risk than before. 

The new measures look to boost the cyber resilience of entities across a range of critical sectors, expanding the current scope to include healthcare, medical devices, energy grids, digital services, waste management, critical product manufacturing and public administration.

The security of the upcoming 5G networking is one of the key aspects of the NIS2. The need to protect the Internet of Things (IoT) – interconnected computing devices embedded in everyday objects – is another consideration underlying the new initiative.

The original 2016 NIS directive, while contributing to improving cyber security, left too many gaps and discretion to individual member states. Ambiguity, lack of accountability and, ultimately, fragmentation were the result.

The NIS2 Directive also aims to increase the cybersecurity requirements imposed on companies with new standards and reporting rules. This includes provisions for top management accountability for any non-compliance with the cybersecurity obligations and measures to increase the collective European cyber-resilience in both public and private sectors.

The NIS2 wishes to implement three major changes in a synchronized, centralized manner across the European Union: government accountability, increased fines and sanctions, and incidence response obligation, making reporting “significant” incidents mandatory.