Skip to content

Network and Information Security Directive 2 (NIS2)

We are not lawyers, this is not legal advise.

It is your responsibility to discover what law applies to you and how to best comply with it. In case of doubt, consult your Data Protection Officer (DPO) or equivalent.

The NIS2 Directive stands as a comprehensive EU-wide cybersecurity legislation, aimed at elevating the overall state of cybersecurity across the European Union. Imposing legal measures, it serves to fortify the digital landscape in the region.

Initiated in 2016, the EU's cybersecurity regulations underwent a substantial transformation with the enactment of the NIS2 Directive in 2023. This update was imperative to adapt to the expanding realm of digitization and the continuously evolving cybersecurity threats. The directive's enhancements extend the applicability of cybersecurity regulations to novel sectors and entities, thereby enhancing the resilience and response capabilities of public and private bodies, competent authorities, and the entire EU.

The NIS2 Directive, officially titled the Directive on measures for a high common level of cybersecurity across the Union, imposes legal requisites to augment cybersecurity throughout the EU. Its key provisions encompass ensuring the preparedness of Member States, mandating the establishment of essential capabilities like a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority. Furthermore, it promotes cooperation among Member States through the establishment of a Cooperation Group, fostering strategic collaboration and information exchange.

The directive seeks to instill a culture of security across critical sectors vital for the economy and society, heavily reliant on information and communication technologies (ICTs). These sectors include energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure.

To uphold the directive's objectives, businesses identified by Member States as operators of essential services in the specified sectors must implement suitable security measures and promptly report significant incidents to relevant national authorities. Similarly, key digital service providers, such as search engines, cloud computing services, and online marketplaces, are obligated to adhere to the security and notification requirements outlined in the directive.

The NIS2 Directive shares a strong connection with two additional initiatives: the Critical Entities Resilience (CER) Directive and the Regulation for Digital Operational Resilience in the Financial Sector, commonly known as the Digital Operational Resilience Act (DORA).

Which sectors are covered by the NIS2 Directive?

A lot more sectors than in the previous iteration. Society has become more digital, and as a result, more vulnerable to cyberattacks. It is clear that many use-cases where Welkin has been successfully used in the past are in scope for NIS2, including sectors of high criticality, healthcare, banking and the financial market, and general public administration.

The official FAQ lists the sectors in scope as follows:

Sectors of high criticality: energy (electricity, district heating and cooling, oil, gas and hydrogen); transport (air, rail, water and road); banking; financial market infrastructures; health including manufacture of pharmaceutical products including vaccines; drinking water; waste water; digital infrastructure (internet exchange points; DNS service providers; TLD name registries; cloud computing service providers; data centre service providers; content delivery networks; trust service providers; providers of public electronic communications networks and publicly available electronic communications services); ICT service management (managed service providers and managed security service providers), public administration and space.

Other critical sectors: postal and courier services; waste management; chemicals; food; manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment; digital providers (online market places, online search engines, and social networking service platforms) and research organisations.

How does the NIS2 Directive relate to Welkin?

NIS2 Article 21(2) lists 10 so-called minimum requirements. These minimum requirements need to be translated into policies for your organization, which can then be technically implemented. Below is a list of pages, which help you translate such policies into implementation on top of Welkin.

NIS2 Minimum Requirement (b) Incident Handling

NIS2 Minimum Requirement (c) Backup Management

NIS2 Minimum Requirement (c) Disaster Recovery

NIS2 Minimum Requirement (d) Security of direct suppliers

NIS2 Minimum Requirement (e) Security in Network

NIS2 Minimum Requirement (e) Vulnerability Handling

NIS2 Minimum Requirement (h) Cryptography

NIS2 Minimum Requirement (h) Encryption-in-transit

NIS2 Minimum Requirement (i) Access Control

NIS2 Minimum Requirement (j) Multi-Factor Authentication

Out of Scope NIS2 Requirements

Note that, some requirements are out-of-scope for Welkin, as listed below:

NIS2 Minimum Requirement Justification for Exclusion
(a) policies on risk analysis and information system security This is a requirement on the management team, which a container platform product, like Welkin, cannot fulfill.
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures This is a requirement on the management team, which a container platform product, like Welkin, cannot fulfill.
(g) basic cyber hygiene practices and cybersecurity training Welkin is not a training solution. However, Elastisys can help. Check out our training.

Country- and Sector-Specific Requirements

Please see the following pages, also linked in the side bar, for country- and sector-specific rules on top of the NIS2 minimum requirements. Note that these rules were enacted under NIS1, as NIS2 still needs to be implemented in some EU Member States: