What is NIS2?

The NIS2 Directive, or the second Network and Information Systems Directive, is a regulatory framework enacted by the European Union to enhance cybersecurity measures across its member states. Building upon the foundation established by the original NIS Directive, NIS2 reflects an evolution in response to emerging digital threats and technological advancements.

NIS2 focuses on strengthening the resilience of critical infrastructure and digital services by imposing specific obligations on essential entities and digital service providers. It outlines measures to secure network and information systems, emphasizing the importance of risk analysis, incident handling, and cooperation among member states.

Key aspects of the NIS2 Directive include extending its scope to cover a broader range of digital service providers, enhancing incident reporting obligations, promoting collaboration and information sharing among competent authorities, and emphasizing the role of risk management in ensuring the continuity of essential services.

Ultimately, the NIS2 Directive aims to create a harmonized and proactive cybersecurity environment within the EU, fostering collective efforts to mitigate cyber threats and safeguard the integrity of critical digital infrastructure.

Whether you’re a seasoned cybersecurity professional, a business owner navigating compliance, or an enthusiast delving into EU regulations, this extensive glossary aims to guide you through the intricacies of NIS2.

1. NIS Directive (Network and Information Systems Directive)

The NIS Directive, instituted in May 2018, serves as the bedrock of cybersecurity regulations in the European Union (EU). Its primary objective is to fortify the security and resilience of critical infrastructure and digital services across EU member states, setting a precedent for subsequent developments like the NIS2 Directive.

2. NIS2 Directive

The NIS2 Directive is a progressive evolution, addressing emerging cybersecurity challenges in the ever-changing digital landscape. Beyond refining existing provisions, it introduces novel measures to adapt to the evolving threat landscape, underlining the continuous commitment to robust cybersecurity practices.

3. Essential and Important Entities

NIS2‘s regulatory framework stands as a barricade, meticulously shaping specific obligations to fortify the security and ensure the continuous operation of services deemed indispensable for public order, health, safety, and economic activities. Within the realm of NIS2, essential and important entities constitute the following:

Key Sectors within NIS2

Energy

• Electricity: Organizations involved in the generation, transmission, and distribution of electrical power.
• Oil and Gas: Entities engaged in the extraction, refining, and distribution of oil and gas resources.
• District Heating and Hydrogen: Focused on ensuring the security and reliability of district heating systems and hydrogen production.

Transport

• Air, Rail, Water, and Road: Encompassing entities involved in air travel, railways, maritime transport, and road infrastructure, crucial for the movement of goods and people.

Financial Services 

• Banking: Financial institutions integral to the functioning of the economy.
• Financial Market Infrastructures: Entities that provide the backbone for financial transactions, including stock exchanges and clearinghouses.

Healthcare Industry

• Healthcare: Encompassing medical facilities, laboratories, and research institutions focused on pharmaceuticals and medical devices.

Utilities

• Drinking Water and Wastewater: Entities responsible for ensuring the safety and availability of drinking water, with wastewater management included if it constitutes a primary activity.

Digital Infrastructures:

• Telecom: Entities providing telecommunication services.
• DNS (Domain Name System) and TLD (Top-Level Domain): Crucial components of the internet’s addressing system.
• Data Centers: Facilities for storing, processing, and managing digital information.
• Trust Services and Cloud Services: Entities offering secure digital trust services and cloud computing solutions.

Digital Services:

• Search Engines, Online Markets, Social Networks: Platforms shaping the digital landscape and influencing user interactions.

Other Critical Sectors:

• Space: Entities involved in space exploration, satellite communications, and related technologies.
• Postal and Courier Services: Essential for the movement of physical goods and documents.
• Waste Management: Organizations responsible for the proper disposal and management of waste.
• Chemicals: Covering the production and distribution of chemicals.
• Food: Encompassing entities involved in the production, processing, and distribution of food products.
• Manufacturing: Specifically targeting the production of medical, computer, and transport equipment.

4. Network and Information Systems

At the core of NIS2 lies the imperative to secure network and information systems. These encompass a vast array of interconnected hardware, software, communication networks, and data repositories. Safeguarding these systems is pivotal, not only to prevent disruptions but also to uphold the integrity of essential services that rely on them.

5. Security Incidents

In the context of NIS2, security incidents encompass events that jeopardize the confidentiality, integrity, or availability of information and systems. NIS2 mandates organizations to establish robust incident response mechanisms, ensuring the prompt detection, response to, and recovery from such incidents.

6. Threat Landscape

The dynamic and multifaceted threat landscape refers to the myriad cybersecurity risks that organizations confront. NIS2 underscores the importance of continuous monitoring and assessment to adapt security measures proactively, ensuring resilience in the face of evolving threats.

7. EU Member States

NIS2’s reach extends across all EU member states, advocating for a harmonized approach to cybersecurity regulations. Member states are tasked with transposing the directive into their national laws, designating competent authorities to oversee compliance, thereby fostering a cohesive and standardized cybersecurity framework.

8. Business Continuity

Business continuity, a foundational concept emphasized by NIS2, involves meticulous planning and execution of strategies. This ensures that essential services persist during and after a cybersecurity incident, underscoring NIS2’s commitment to minimizing disruptions and maintaining service integrity.

9. Annual Turnover

NIS2 introduces considerations based on an organization’s annual turnover to delineate the scope of its obligations. Organizations surpassing specified thresholds may face additional cybersecurity requirements and reporting obligations, tailoring the regulatory burden to the scale and impact of the entity.

10. Incident Handling

Critical to NIS2 compliance is incident handling, encompassing the processes and procedures organizations employ to detect, respond to, and recover from cybersecurity incidents. NIS2 emphasizes the pivotal role of effective incident handling in mitigating the impact of security breaches.

11. Competent Authorities

Designated by EU member states, competent authorities play a pivotal role in the NIS2 regulatory framework. These authorities oversee and enforce compliance, fostering collaboration to share information and ensure a coordinated response to emerging cybersecurity threats.

12. Essential Services

Essential services, as categorized by NIS2, span sectors such as energy, transport, healthcare, and digital infrastructure. Organizations providing essential services are subject to specific cybersecurity requirements, a recognition of their critical role in maintaining societal functions.

13. Risk Analysis and Information

Integral to NIS2 compliance is risk analysis, a systematic assessment of potential threats, vulnerabilities, and impacts on network and information systems. This enables organizations to implement tailored and effective security measures aligned with their specific risk landscape.

14. Multi-Factor Authentication

NIS2 promotes the adoption of multi-factor authentication as an additional layer of security. Recognizing its efficacy in enhancing access controls, this method safeguards against unauthorized access to critical systems, aligning with NIS2’s focus on robust access security.

15. Incident Reporting Obligations

Organizations falling under the purview of NIS2 must adhere to incident reporting obligations. Prompt reporting of significant cybersecurity incidents to competent authorities is mandated, facilitating a coordinated response and enabling the sharing of vital threat intelligence.

16. National Law

EU member states are pivotal in the implementation of NIS2, transposing its provisions into national law. Compliance with national legislation ensures uniformity in cybersecurity standards across the European Union, aligning with the collaborative spirit of the directive.

17. Search Engines and Online Marketplaces

NIS2 extends its regulatory scope to include digital service providers like search engines and online marketplaces. These entities, integral to the digital ecosystem, must comply with stringent cybersecurity requirements, contributing to the overall resilience of digital infrastructure.

18. Cybersecurity Requirements

The NIS2 Directive provides a comprehensive framework outlining specific cybersecurity requirements for organizations. Essential entities and digital service providers are particularly mandated to implement these measures, ensuring the robust protection of their network and information systems.

19. Digital Infrastructure

Digital infrastructure forms the backbone of the modern digital economy, encompassing interconnected systems and services. NIS2 addresses the cybersecurity needs of digital infrastructure, recognizing its significance in maintaining the integrity and security of the broader digital ecosystem.

20. Cybersecurity Incidents

A broad umbrella term, cybersecurity incidents encapsulate diverse events, from data breaches to denial-of-service attacks. NIS2 emphasizes the importance of promptly reporting and mitigating such incidents, ensuring a swift and coordinated response to minimize their impact on essential services and digital infrastructure.

21. Robust DNS Infrastructure

To ensure harmonization and consistency, NIS2 makes it much more explicit which organizations the legislation applies to and the requirements they should fulfill. In terms of the DNS, NIS2 focuses on a common baseline of security requirements that aims to ensure a unified and robust approach to the DNS infrastructure used throughout the EU.

In conclusion, staying informed and compliant with NIS2 is paramount. This comprehensive glossary serves as a valuable reference for navigating the intricacies of NIS2 and its nuanced terminology. For the latest updates and official guidance, consult authoritative sources such as the European Union’s publications on the NIS2 Directive. The collective effort to protect network and information systems is crucial, and understanding these key terms is a fundamental step towards fostering a more secure digital landscape.