Examining The NIS2 Directive From Outside The EU

Uploaded on 2025-05-16 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Law

The NIS2 Directive, which builds upon the original Network and Information Systems (NIS) Directive, aims to enhance the cybersecurity posture of critical sectors across the European Union.  

The original 2016 NIS Directive aimed to enhance the cyber resilience of EU Member States by establishing common security standards and incident reporting requirements for critical infrastructure and digital services.

However, its implementation proved challenging, leading to fragmentation across the internal market. Each Member State was given considerable flexibility in interpreting and applying the directive, resulting in varying levels of compliance, inconsistent regulatory approaches and differing cybersecurity practices across borders.  

It became apparent that this lack of uniformity created complexities for organisations operating in multiple countries hindered effective cross-border cooperation and reduced the overall effectiveness of the directive in creating a cohesive and secure digital environment across the EU. 

More Cohesive EU Cybersecurity  

As analysis from Global Regulatory Insights puts it: “The [original] NIS Directive makes an earnest attempt to foster cross-border cooperation for bolstering cybersecurity within the European Union. While it has made notable strides in promoting information sharing and mutual assistance, certain limitations, chiefly operational complexities and resource constraints, still need to be addressed. With the directive undergoing review and updates, there is an opportunity to refine these mechanisms to create a more cohesive and effective cybersecurity environment across the EU.” 

So, in 2021, the EU proposed a new, more encompassing directive, NIS2, which would address the issues relating to the original directive, while strengthening security requirements, addressing supply chain security, streamlining reporting obligations and creating more stringent supervisory measures and stricter enforcement requirements, and standardise penalties.  

NIS2 officially entered into force in January 2023 – underlining the urgency of the new Directive - with Member States being given until October 17, 2024, to incorporate it into national law.  

Stricter Cyber Security  

NIS2 attempts to address the emerging threats and vulnerabilities organisations face, mandating stricter cybersecurity measures and greater accountability. But, while offering several strengths in bolstering cyber resilience, it still has some weaknesses.  

One of the new directive’s primary strengths is its comprehensive approach to cybersecurity. It significantly broadens the scope of entities required to comply, including medium and large organisations in more sectors than its predecessor. By extending the directive’s reach to cover a wider range of services, NIS2 ensures that more essential and important entities are adequately protected against cyber threats. It also introduces more stringent security measures and incident reporting requirements, compelling organizations to adopt a proactive stance on cybersecurity. This is crucial, as cyber threats are growing in both volume and sophistication, and businesses need to be resilient in the face of persistent cyberattacks. 

NIS2 is the latest attempt to bring a unified standard to cybersecurity across the EU, which can reduce fragmentation and improve the overall security posture of member states.  

By harmonising cybersecurity regulations, NIS2 aims to create a level playing field, where all entities are subject to the same rules and standards. This not only simplifies compliance for organisations operating in multiple EU countries but also fosters cross-border cooperation in tackling cyber threats, which are often transnational in nature. In doing this, NIS2 enhances collective cybersecurity efforts, enabling better sharing of threat intelligence and coordinated responses to incidents. 

NIS2 Weaknesses 

But while NIS2 has its merits, it is not without its weaknesses. One of the key criticisms of the directive is its potential to place a significant burden on organisations, particularly smaller entities that may lack the resources to implement and maintain the required security measures. While the directive aims to exclude micro and small enterprises, the expanded scope to include medium-sized entities may still pose challenges. Costs associated with compliance, including investments in technology, personnel, and training, can be substantial. For organisations operating on thin margins or with limited cybersecurity expertise, these requirements may become overwhelming, potentially leading to reduced competitiveness or even non-compliance. 

Another perceived weakness of NIS2 is the directive’s prescriptive nature, which may not fully account for the dynamic and rapidly evolving nature of cyber threats. The directive mandates specific security measures and reporting procedures, which, while necessary to some extent, can also lead to a ‘checkbox’ mentality among organisations.  

Rather than fostering a culture of continuous improvement and adaptation, organisations might (have to) focus on mere compliance, potentially neglecting the broader strategic aspects of cybersecurity. Reliance on standardised measures may not always align with the unique risk profiles and needs of different sectors or organisations, resulting in a lack of flexibility in addressing diverse cybersecurity challenges. 

The UK Opportunity 

Given these strengths and weaknesses, the UK, no longer bound by EU directives post-Brexit, has an opportunity to chart its own path in cybersecurity regulation. Rather than adopting NIS2 wholesale, the UK government might consider an approach that balances regulatory oversight with flexibility and innovation.  

A potential alternative route, for example, might involve a more risk-based, outcome-focused framework, where the emphasis is placed on achieving specific security outcomes rather than adhering to rigid requirements. 

This approach would allow organisations to tailor their cybersecurity strategies to their specific risk profiles and operational contexts, promoting a culture of continuous improvement rather than mere compliance.  

The UK could also encourage greater collaboration between the public and private sectors, fostering an environment where threat intelligence is shared openly, and best practices are developed collectively. By adopting a more adaptive and collaborative approach, the UK could not only enhance its own cybersecurity posture but also position itself as a leader in cybersecurity innovation on the global stage. 

The UK could also focus on incentivizing organizations to invest in cybersecurity by offering financial support, tax breaks or other benefits to those that demonstrate robust security practices.  

Such measures could help alleviate the burden of compliance costs, particularly for smaller entities, while encouraging a proactive stance on cybersecurity. By aligning incentives with desired outcomes, the UK government could foster a more resilient and secure digital environment, where organisations are motivated to go beyond the minimum requirements and continuously enhance their security capabilities. 

While the NIS2 Directive certainly presents a well-considered, robust framework for enhancing cybersecurity across the EU, it is not without its flaws. The directive’s prescriptive approach and the potential compliance burden on organisations highlight the need for a more balanced strategy.  

The UK, with its newfound regulatory independence, has an opportunity to take a more flexible and innovative approach, focusing on risk-based outcomes, collaboration and incentivisation. By doing so, the UK can not only ensure a strong cybersecurity posture for its own organisations but also set an example for other nations to follow in the global fight against cyber threats. 

Notis Iliopoulos is VP of MRC at Obrela

You Might Also Read: 

EU To Strengthen Cyber Defence In Healthcare:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Lockbit Ransomware Group Hacked
China Introducing Strict Controls On AI Data Centres »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Team8

Team8

Team8 is Israel’s most prestigious cybersecurity think tank and venture creation foundry.

Sliced Tech

Sliced Tech

Sliced Tech provides enterprise grade managed Cloud services, including Security-as-a-Services, aimed at meeting the needs of commercial and government clients from within Australia.

AnubisNetworks

AnubisNetworks

AnubisNetworks is one of Europe’s leading threat intelligence and email security suppliers.

Telelogos

Telelogos

Telelogos is a European provider of Enterprise Mobility Management software, Digital Signage software and Data Transfer and Synchronization software.

InterVision

InterVision

InterVision is a leading Strategic Services Provider, assisting businesses in driving value and gaining a competitive edge by helping IT Leaders solve the most crucial challenges they face.

InnoValor

InnoValor

InnoValor realises value from digital innovation for organisations and government. We provide advisory services and develop innovative software solutions, based on our background in research.

Techleap.nl

Techleap.nl

Techleap.nl is a non-profit publicly funded organisation helping to quantify and accelerate the tech ecosystem of the Netherlands.

Cryptoloc

Cryptoloc

Cryptoloc's core business is developing solutions designed to protect businesses from all kinds of security threats using a unique patented cryptography.

CybX Security LLC

CybX Security LLC

CybX is the first company of its kind to merge the practice of computer forensics with computer security and information security.

Defensity

Defensity

Defensity offer bespoke & pre packaged IT Security Solutions for Small business to help companies reduce overall IT related risk.

Sylint

Sylint

Sylint is an internationally recognized cyber security and digital data forensics firm with extensive experience discretely addressing some of today’s biggest cyber breaches.

KanREN

KanREN

KanREN is a member based consortium offering custom, world-class network services and support for researchers, educators, and public service institutions in the state of Kansas.

1Kosmos

1Kosmos

1Kosmos provide Digital Identity and Passwordless Authentication for workforce and customers. Powered by advanced biometrics and blockchain technology.

Panoplia Digital Protection

Panoplia Digital Protection

Panoplia Digital Protection is a cutting-edge cybersecurity company that leverages the power of AI and ML to help businesses and consumers protect themselves against cyber threats.

Sunnic

Sunnic

Sunnic is a leading provider of comprehensive digital data security technology.

CyberSG TIG Centre

CyberSG TIG Centre

CyberSG TIG Centre aims to propel Singapore as the world’s premier cybersecurity innovation hub for economic growth.