Loading...

Governance

NIS1 vs. NIS2: what are the key differences? 

The NIS Directive (Network and Information Security) was introduced in 2016 to strengthen cyber security in the EU. Due to growing digital threats, it was updated to NIS2 in 2022, redefining cyber security standards and adding new risk management measures. This article explores the key differences between NIS1 and NIS2 and their implications for businesses and authorities.

Network and Information Security

Table of contents

  • Extended scope
  • Notification and incident management obligations
  • New standards for risk management
  • Management responsibility and stricter penalties
  • Challenges and opportunities for member states

The NIS Directive (Network and Information Security) marked a turning point in European cyber security. Its first version, NIS1, was introduced in 2016 with the goal of strengthening the protection of critical systems in EU member states. 

However, with the growing complexity of digital threats, an update became necessary: NIS2, approved in 2022, redefines cyber security standards and introduces new measures for risk management. In this article, we will analyze the main differences between NIS1 and NIS2 and what they mean for companies and competent authorities. 

Expanded scope 

With the introduction of NIS2, the scope of the directive has been significantly broadened, including a larger number of entities and sectors compared to the previous NIS1. This evolution reflects the growing interconnection of systems and the increase in cyber threats, which now affect even sectors traditionally considered less exposed. 

Sectors covered by NIS2 vs. NIS1 

NIS1 focused on eight critical sectors such as energy, transport, water, healthcare, digital infrastructure, banking, and financial markets. NIS2, however, introduces a broader and more detailed list of strategic sectors and subsectors, including: 

  • Food and agriculture production
    Companies involved in producing, processing, and distributing food, essential for security and sustainability. 
  • Pharmaceutical and biomedical industry
    Entities active in the research, development, and production of drugs and medical technologies. 
  • Automotive and chemical sector
    Industries producing critical components for transportation and industrial processes. 
  • Electronics and advanced industrial technologies
    Companies providing electronic systems and essential technologies for production sectors. 

This expansion aims to include not only entities already perceived as critical but also those that could suffer significant impacts in the event of cyber incidents, with potentially severe consequences for economic and social continuity. 

Inclusion of medium and large companies 

Another significant change is the inclusion of medium and large companies among the entities required to comply with the directive. NIS1 primarily focused on operators of essential services and digital service providers. NIS2, however, imposes obligations on larger companies operating in the specified sectors, regardless of their prior perception of criticality. 

This approach acknowledges that many of these companies are integral to the supply chains of critical sectors. An attack on a medium-sized company can have a domino effect, threatening the security of entire infrastructures or systems. 

Supply chain and external providers 

NIS2 emphasizes the importance of security across the entire supply chain. It is not enough for companies to adopt internal security measures; they must ensure that their suppliers and partners also meet adequate standards. This requirement translates into: 

  • Supplier due diligence
    Verifying that business partners adopt security measures consistent with those required by the directive. 
  • Specific contractual clauses
    Including clear obligations regarding risk management and security measures in contracts. 
  • Reviewing existing relationships
    Adjusting existing contracts to align with the new regulatory provisions. 

This requirement applies not only to providers of essential services but also to technology suppliers, such as digital service providers, who often manage sensitive data or critical systems on behalf of other companies. 

Indirect impacts on excluded entities 

Even companies formally excluded from NIS2 may find themselves indirectly involved. Organizations required to comply will likely impose security requirements on their business partners to avoid risk exposure.

This cascading mechanism ensures a higher level of security throughout the supply chain but also demands significant adjustments for many businesses. 

The NIS Directive

Notification and incident management obligations

With NIS2, time plays a crucial role in responding to attacks. Unlike NIS1, which allowed more discretion regarding reporting timelines, the new directive establishes that cyber incidents must be reported to the competent authorities within 24 hours. Subsequently, the following are required: 

  • Updates within 72 hours; 
  • A final incident management report within one month. 

This new structure is designed to ensure more timely and effective incident management, minimizing potential damage. 

New standards for risk management

Another innovative aspect of NIS2 is its emphasis on risk management. Companies are now required to: 

  • Implement measures proportional to their specific vulnerabilities; 
  • Use advanced tools, such as multi-factor authentication, to strengthen defenses. 

This approach promotes tailored security, optimizing resources without unnecessary waste. The directive also encourages risk management across the entire supply chain, imposing stricter controls on suppliers. 

Management responsibility and stricter penalties

NIS2 introduces new obligations for corporate executives, who are directly responsible for implementing security measures. In the event of non-compliance, penalties of up to 2% of global revenue are foreseen, a much stricter deterrent than under NIS1. This aims to incentivize greater attention to security at the executive level. 

Challenges and opportunities for member states

The implementation of NIS2 presents various challenges for member states, including: 

  • Harmonizing rules in multinational contexts; 
  • Staff training; 
  • Creating a corporate culture focused on cyber security

However, compliance with the directive also represents an opportunity. A more robust security system improves the trust of customers and partners, creating a competitive advantage in a market increasingly attentive to cyber security

In conclusion 

The comparison between NIS1 and NIS2 highlights a clear evolution in the European Union’s strategy. The new directive lays the foundation for greater digital resilience, imposing high standards and expanding compliance obligations.

Adapting is not only a regulatory requirement but also a strategic investment to ensure operational continuity and successfully tackle future challenges. 


Questions and answers 

  1. What does NIS1 vs. NIS2 mean? 
    NIS1 and NIS2 represent two European cyber security directives, with the latter updating and expanding the obligations of the former. 
  2. What sectors does NIS2 cover compared to NIS1? 
    NIS2 extends its scope to new sectors like food production, pharmaceuticals, and automotive, in addition to those already included under NIS1. 
  3. What are the incident reporting timelines under NIS2? 
    Incidents must be reported to authorities within 24 hours, with updates within 72 hours. 
  4. What role do executives play under NIS2? 
    Executives are responsible for compliance and face personal penalties in case of non-compliance. 
  5. What does NIS2 require of digital service providers? 
    They must meet higher security standards and ensure risk management across the supply chain. 
  6. What security measures are mandatory under NIS2? 
    Tools like multi-factor authentication and continuity protocols are required. 
  7. What penalties does NIS2 impose? 
    Fines can reach up to 2% of a company’s global revenue for non-compliance. 
  8. How does NIS2 address risk management? 
    It requires tailored measures based on each entity’s specific vulnerabilities. 
  9. What changes does NIS2 bring for member states? 
    States must harmonize regulations and enhance cyber security oversight. 
  10. What is the strategic benefit of NIS2? 
    Strengthened digital resilience builds trust and offers a competitive edge. 
To top