NIS2 Directive: Is It the Most Effective Way to Strengthen Cyber Resilience Across the EU?

Photo: Freepik.com

In recent years, cybersecurity and its enhancement across the European Union (EU) have become a top priority. Cyberattacks are becoming more difficult to detect and prevent in a timely manner. These attacks cause financial losses, disrupt business operations, damage reputations, and affect societal well-being. To proactively prepare for future attacks, identify them swiftly, and mitigate their consequences, the European Parliament adopted the NIS2 Directive (Network and Information Security Directive 2) in December 2022. This directive enforces stricter security measures. Latvia implemented its national cybersecurity law on September 1, 2024.

Cyber Threats with Lasting Impact

According to Europol’s 2023 report, the number of cyberattacks continues to rise across the EU. The most common type of attack is ransomware, which infects computer systems and blocks access to files, demanding a ransom for their release. Ransomware is typically spread through phishing emails containing malicious attachments or links, or via compromised websites. It can also infiltrate devices with outdated software or operating systems lacking the latest security updates.

The European Union Agency for Cybersecurity (ENISA) estimated that cyberattacks caused a financial impact of €2.4 billion across the EU in 2022. These attacks frequently target critical infrastructure sectors such as energy, healthcare, and transportation, aiming to degrade service quality or halt operations entirely.

NIS2: A Panacea for Cyberattacks?

Foto: bda.lv

We invited Normunds Upenieks, our instructor and an expert in IT and innovation, to discuss the NIS2 Directive, its scope, and its requirements.

1.    Can you please explain what is the key difference between the NIS1 and NIS2 Directives?

Like NIS2, the NIS1 Directive, introduced in 2016, aimed to enhance cybersecurity across the EU. However, the key difference lies in the expanded scope of NIS2, which covers a broader range of sectors and service providers. It introduces stricter cybersecurity measures to ensure closer collaboration among EU member states and more proactive responses to cyber threats. The ultimate goal of NIS2 is to prevent disruptions or shutdowns of essential services during cyberattacks.

2.    Which sectors are subject to the new directive’s requirements?

The directive primarily applies to essential and important service providers, spanning sectors like finance, healthcare, transportation, research, food, manufacturing, digital infrastructure, and energy. The designation is based on the company’s contribution to the national economy. Importantly, these requirements also apply to private sector entities and non-governmental organizations.

3.    How can companies determine if they are subject to the directive?

To determine whether NIS2 applies to a specific organization, a self-assessment report must be submitted by October 1, 2025. Companies unsure of their classification can consult the Latvian National Cybersecurity Center, the supervising authority in Latvia.

4.    What requirements must be met by organizations under the directive?

Organizations must:

• Determine their status as essential or important service providers.
• Appoint a cybersecurity manager with relevant qualifications, certifications, and at least two years of experience handling cyber incidents by October 1, 2025.
• Conduct risk assessments to identify critical assets, threats, and vulnerabilities.
• Develop and regularly update a cyber risk and business continuity plan, testing it before implementation.
• Provide employee training to ensure preparedness for cyber threats.
• Report cyber incidents promptly to facilitate information sharing and a swift response across EU member states.

While these requirements are extensive, having a well-defined plan simplifies response efforts during crises, helping to mitigate or minimize the impact of cyberattacks.

5.    In your opinion will the NIS2 Directive reduce cyber risks?

I believe it will. The stricter requirements compared to NIS1 should enhance cybersecurity management at both the company level and among EU member states, enabling faster and more effective responses to cyber threats.

Penalties for Non-Compliance

The NIS2 Directive introduces substantial fines for non-compliance, failure to report incidents, providing false information, or neglecting technical and organizational measures. Penalty amounts are as follows:

• Essential service providers: Up to €10 million, or 2% of annual turnover for companies with revenue exceeding €500 million.
• Important service providers: Up to €500,000, or 1.4% of annual turnover for companies with revenue exceeding €500 million.

Training and Certification Opportunities at BDA

Photo: Freepik.com

We are offering a variety of training and certification programs in cybersecurity, suitable even for cybersecurity managers. These include:

• NIS2 Vadošais ieviesējs;
• ISO 31000 Risku vadītājs;
• ISO/IEC 27001 Vadošais ieviesējs;
• ISO/IEC 27001 Vadošais auditors;
• CISSP® (Sertificēta informācijas sistēmu drošības profesionāļa kurss);
• CISM® (Sertificēta informācijas drošības vadītāja kurss);
• CEH (Sertificēta ētiskā hakera kurss);
• CompTIA® drošības pamati (Security+).