The NIS2 Directive (Network and Information Security Directive) was adopted by the European Commission in December 2022 and represents the European Union’s strengthened approach to cybersecurity. Building on the original NIS from 2016, the NIS2 aims to increase the collective resilience of EU member states against increasing cyber threats. The NIS2 directive broadens the scope and introduces stricter risk management obligations and tighter supervision and enforcement mechanisms, making it a cornerstone for cybersecurity governance across the EU.
The key goals of the NIS2 are:
- Improved Cybersecurity preparedness and resilience: Entities in critical and important sectors (such as energy, transport, finance, healthcare and digital infrastructure) are obliged to implement stronger cybersecurity risk management measures.
- Increased cooperation across the EU: A unified European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) is established, reinforcing the role of national authorities and the international cooperation of national Computer Security Incident Response Teams (CSIRTs)
- Greater harmonisation: The expanded scope of sectors and entities under this regulation increases the uniformity of security measures and incident reporting obligations across the member states.
Implementation challenges and risks
As listed above, the NIS2 directive provides a clear framework and sets objectives to increase cyber resilience across the EU member states. The transposition into national legislation poses several challenges, however:
- Legal complexity: Member states – or countries wanting to align with European Directives – must adapt their existing laws on cybersecurity, or draft new ones. As the scope of the directive has significantly broadened, the number of organisations affected by implementation laws has also increased, resulting in numerous stakeholders that may express their concerns on the applicability and feasibility of elements of the implementation law (such as security measures, incident reporting obligations, supervision, etc).
- Administrative burden: Organisations, especially smaller ones that were not within the scope of the original NIS directive, may face difficulties with the cost and complexity of implementing the obligated elements of the NIS2 directive into their business operations. For example, the obligation of reporting incidents within 24 hours or the implementation of robust supply chain risk assessments may be costly and time-intensive operations.
- Lack of capacity: National authorities may lack the technical or operational capacity to fulfil their designated tasks, such as supervision or providing support during incidents.
- Coordination difficulties: Ensuring effective information sharing and coordination of incident response across national sectors is a logistical challenge, but also requires trust and openness of entities and public institutions.
The NIS 2 Directive is not directly applicable; each Member State and Western Balkan country must adopt national legislation that aligns with the directive’s requirements. To enter the European Union, all candidate countries must have a sufficient cyber security legislation in place in alignment with EU standards, such as the NIS 2 directive. Therefore, projects such as ‘EU Support to Western Balkans Cybersecurity Capacity Building’ support the alignment of the domestic legal framework to EU standards.
