Company directors and executives also subject to penalties
www.eetimes.com, Apr. 21, 2025 –
The European Union (EU) enacted the Network and Information Systems 2.0 Directive, known as NIS2, in 2022, a sweeping overhaul of its cybersecurity regulations. The full implementation across member states started this year.
For the first time, the new version of the directive makes directors and executives accountable, subjecting them to strict penalties.
With increasing digitalization and industrial societies’ critical reliance on information systems, the EU views enhanced cybersecurity as a paramount priority.
The COVID-19 pandemic further underscored the vulnerabilities within intricate supply networks, prompting the new directive to explicitly address these critical links’ cyber resilience.
This directive, formally known as Directive (EU) 2022/2555, aims to establish a high standard level of cybersecurity across the Union to improve the functioning of the internal market.
The legislation significantly expands the scope and requirements of its predecessor, the 2016 NIS Directive, impacting designated “essential” and “important” entities and their extensive supply chains.
Essential sectors include Energy, Health, Transport, Finance, Water Supply, Digital Infrastructure, Public Administration, and Space.
The move comes amid escalating geopolitical tensions and a surge in sophisticated cyber threats, including ransomware, phishing, and disinformation campaigns.
NIS2 establishes a framework obligating member states to adopt national cybersecurity strategies and designate or establish competent authorities, cyber crisis management authorities, single points of contact, and computer security incident response teams (CSIRTs).
By April 17, 2025, a few days ago, member states must establish lists of essential entities, which will be regularly reviewed and updated. Entities falling under categories listed in Annex I (sectors of high criticality like energy, transport, banking, and health) and Annex II (other critical industries such as postal and courier services, food production, and manufacturing) are subject to the directive.
Entities that do not qualify as essential but are of the types listed in the annexes are considered important entities. Member states can also identify other entities as necessary based on criteria outlined in the directive.
To populate these lists, entities must submit detailed information to competent authorities, including their name, address, contact details, relevant sector, and where they provide services. Any changes to this information must be noted immediately and within two weeks.
The directive emphasizes the responsibilities of management bodies within these entities, requiring them to approve, oversee, and be held liable for implementing cybersecurity risk-management measures. Furthermore, management body members must undergo training to gain sufficient knowledge and skills to identify risks and assess cybersecurity practices.
The explicit focus on supply chain cybersecurity is a significant departure from the previous directive. NIS2 mandates that essential entities consider the security-related aspects concerning the relationships between each entity and its direct suppliers or service providers when implementing cybersecurity risk-management measures.
This includes considering the vulnerabilities specific to each supplier, the overall quality of their products, and cybersecurity practices, including secure development procedures.