NIS 2 Directive Raises the Bar for Organisational Cyber Risk

The NIS 2 Directive (EU 2022/2555) was published in the Official Journal of the EU in December 2022, officially replacing the original NIS Directive. This new legislation significantly expands the scope of Europe's cybersecurity rules, imposing stricter risk-management and reporting obligations on a wider range of critical sectors.

While the Cyber-Resilience Act (CRA) focuses on the security of products, NIS 2 targets the cybersecurity posture of the organisations that provide essential services.

Key Changes from NIS 1

• Expanded Scope: The directive now covers new sectors such as digital providers, waste management, and manufacturing of critical products (e.g., medical devices, electronics). It also distinguishes between "essential" and "important" entities, with different levels of oversight.
• Stricter Obligations: Covered entities must implement a baseline of security measures, including incident handling, supply chain security, and vulnerability disclosure policies.
• Tougher Enforcement: National authorities gain stronger supervisory powers, and penalties for non-compliance are significantly increased, with fines of up to €10 million or 2% of worldwide turnover.
• Board-Level Responsibility: The directive explicitly makes corporate management liable for approving and overseeing the implementation of cybersecurity risk-management measures.

The Link to Product Security

For manufacturers, the link between NIS 2 and the CRA is crucial. An organisation that is deemed an "essential entity" under NIS 2 and manufactures products with digital elements will have to comply with both sets of regulations. The organisational security practices mandated by NIS 2 (like vulnerability management) are the necessary foundation for producing the secure products required by the CRA.

For more details on how NIS 2 interacts with product-specific laws, see our main NIS 2 Directive Overview and our CRA Overview.