On the 16th of January 2023, the NIS2 (Network and Information Security) Directive (EU 2022/2555) was adopted by the European Union. The directive comes in a context marked with a resurgence of cybercrime both in forms and numbers. In this sense, it became evident that the previously adopted NIS directive was meeting its limits as that its scope is not sufficiently encompassing.

The member states suffered a number of cyber incidents, sometimes targeting critical infrastructure. This was exacerbated by the ever-growing and cross-sector digitalisation which also meant the identification of new entry points for cybercrime; A situation which solicited a more comprehensive framework to make EU-based entities more resilient and secure when faced with cybercrime.

The directive will need to be transposed by Member states into their national laws. The implementation of the directive will be carried out by member states until the 17th of October 2024.

Obligations stemming from the directive

The NIS2 directive intervenes in order to go beyond the narrow scope proposed by the NIS directive and enforces a set of obligations for an array of entities. The entities are categorised under two sectorial groups that are Essential Entities (EE) and Important Entities (IE). The first encompasses sectors such as energy, transport, health, while the latter encompasses sectors such as manufacturing, digital providers, and postal services. The scoping of the directive also introduces further thresholds, such as a turnover of 50 million euros and the employment of 250 persons for EE, and a turnover of 10 million euros and the employment of 50 persons for IE. The scope of the directive can be amended when transposed by Member States.

incident-reporting obligations are a corner stone of the directive, this aims mainly to increase vigilance and cooperation in essential and critical entities when a cyberattack occurs. Incidents considered significant will need to be reported under 24 hours. The NIS2 directive also stipulates that concerned entities need to have sufficient risk-management measures that include policies, incident-handling and business continuity protocols, and training.

The NIS2 thus uniforms the obligations for a robust framework of cybersecurity that goes beyond the narrow scope that was offered by the NIS directive.

The directive’s relevance to IoT-NGIN

The growing importance of Internet of Things renders it a point of attention for cyber security strategies. Since NIS2 has a more sectorial structure, IoT is not a point that is clearly addressed by the directive. However, it is evident that all important or essential entities concerned by the directive that may put in place IoT solutions are expected to comply with the standards stipulated by the directive when implementing such solutions.

As they usually stem from complex supply chains, IoT solutions may present eventual vulnerabilities; these are referred to indirectly by the directive; the latter incites security measures that are specific to different layers of the chain.

Cybersecurity of IoT solutions is a main focus of IoT-NGIN, this is reflected, among other things, in the dedicated WP5 “Enhancing IoT Cybersecurity & Data Privacy” which delves into next generation IoT cybersecurity detection and protection.