Examining The NIS2 Directive From Outside The EU

Uploaded on 2025-05-16 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Law

The NIS2 Directive, which builds upon the original Network and Information Systems (NIS) Directive, aims to enhance the cybersecurity posture of critical sectors across the European Union.  

The original 2016 NIS Directive aimed to enhance the cyber resilience of EU Member States by establishing common security standards and incident reporting requirements for critical infrastructure and digital services.

However, its implementation proved challenging, leading to fragmentation across the internal market. Each Member State was given considerable flexibility in interpreting and applying the directive, resulting in varying levels of compliance, inconsistent regulatory approaches and differing cybersecurity practices across borders.  

It became apparent that this lack of uniformity created complexities for organisations operating in multiple countries hindered effective cross-border cooperation and reduced the overall effectiveness of the directive in creating a cohesive and secure digital environment across the EU. 

More Cohesive EU Cybersecurity  

As analysis from Global Regulatory Insights puts it: “The [original] NIS Directive makes an earnest attempt to foster cross-border cooperation for bolstering cybersecurity within the European Union. While it has made notable strides in promoting information sharing and mutual assistance, certain limitations, chiefly operational complexities and resource constraints, still need to be addressed. With the directive undergoing review and updates, there is an opportunity to refine these mechanisms to create a more cohesive and effective cybersecurity environment across the EU.” 

So, in 2021, the EU proposed a new, more encompassing directive, NIS2, which would address the issues relating to the original directive, while strengthening security requirements, addressing supply chain security, streamlining reporting obligations and creating more stringent supervisory measures and stricter enforcement requirements, and standardise penalties.  

NIS2 officially entered into force in January 2023 – underlining the urgency of the new Directive - with Member States being given until October 17, 2024, to incorporate it into national law.  

Stricter Cyber Security  

NIS2 attempts to address the emerging threats and vulnerabilities organisations face, mandating stricter cybersecurity measures and greater accountability. But, while offering several strengths in bolstering cyber resilience, it still has some weaknesses.  

One of the new directive’s primary strengths is its comprehensive approach to cybersecurity. It significantly broadens the scope of entities required to comply, including medium and large organisations in more sectors than its predecessor. By extending the directive’s reach to cover a wider range of services, NIS2 ensures that more essential and important entities are adequately protected against cyber threats. It also introduces more stringent security measures and incident reporting requirements, compelling organizations to adopt a proactive stance on cybersecurity. This is crucial, as cyber threats are growing in both volume and sophistication, and businesses need to be resilient in the face of persistent cyberattacks. 

NIS2 is the latest attempt to bring a unified standard to cybersecurity across the EU, which can reduce fragmentation and improve the overall security posture of member states.  

By harmonising cybersecurity regulations, NIS2 aims to create a level playing field, where all entities are subject to the same rules and standards. This not only simplifies compliance for organisations operating in multiple EU countries but also fosters cross-border cooperation in tackling cyber threats, which are often transnational in nature. In doing this, NIS2 enhances collective cybersecurity efforts, enabling better sharing of threat intelligence and coordinated responses to incidents. 

NIS2 Weaknesses 

But while NIS2 has its merits, it is not without its weaknesses. One of the key criticisms of the directive is its potential to place a significant burden on organisations, particularly smaller entities that may lack the resources to implement and maintain the required security measures. While the directive aims to exclude micro and small enterprises, the expanded scope to include medium-sized entities may still pose challenges. Costs associated with compliance, including investments in technology, personnel, and training, can be substantial. For organisations operating on thin margins or with limited cybersecurity expertise, these requirements may become overwhelming, potentially leading to reduced competitiveness or even non-compliance. 

Another perceived weakness of NIS2 is the directive’s prescriptive nature, which may not fully account for the dynamic and rapidly evolving nature of cyber threats. The directive mandates specific security measures and reporting procedures, which, while necessary to some extent, can also lead to a ‘checkbox’ mentality among organisations.  

Rather than fostering a culture of continuous improvement and adaptation, organisations might (have to) focus on mere compliance, potentially neglecting the broader strategic aspects of cybersecurity. Reliance on standardised measures may not always align with the unique risk profiles and needs of different sectors or organisations, resulting in a lack of flexibility in addressing diverse cybersecurity challenges. 

The UK Opportunity 

Given these strengths and weaknesses, the UK, no longer bound by EU directives post-Brexit, has an opportunity to chart its own path in cybersecurity regulation. Rather than adopting NIS2 wholesale, the UK government might consider an approach that balances regulatory oversight with flexibility and innovation.  

A potential alternative route, for example, might involve a more risk-based, outcome-focused framework, where the emphasis is placed on achieving specific security outcomes rather than adhering to rigid requirements. 

This approach would allow organisations to tailor their cybersecurity strategies to their specific risk profiles and operational contexts, promoting a culture of continuous improvement rather than mere compliance.  

The UK could also encourage greater collaboration between the public and private sectors, fostering an environment where threat intelligence is shared openly, and best practices are developed collectively. By adopting a more adaptive and collaborative approach, the UK could not only enhance its own cybersecurity posture but also position itself as a leader in cybersecurity innovation on the global stage. 

The UK could also focus on incentivizing organizations to invest in cybersecurity by offering financial support, tax breaks or other benefits to those that demonstrate robust security practices.  

Such measures could help alleviate the burden of compliance costs, particularly for smaller entities, while encouraging a proactive stance on cybersecurity. By aligning incentives with desired outcomes, the UK government could foster a more resilient and secure digital environment, where organisations are motivated to go beyond the minimum requirements and continuously enhance their security capabilities. 

While the NIS2 Directive certainly presents a well-considered, robust framework for enhancing cybersecurity across the EU, it is not without its flaws. The directive’s prescriptive approach and the potential compliance burden on organisations highlight the need for a more balanced strategy.  

The UK, with its newfound regulatory independence, has an opportunity to take a more flexible and innovative approach, focusing on risk-based outcomes, collaboration and incentivisation. By doing so, the UK can not only ensure a strong cybersecurity posture for its own organisations but also set an example for other nations to follow in the global fight against cyber threats. 

Notis Iliopoulos is VP of MRC at Obrela

You Might Also Read: 

EU To Strengthen Cyber Defence In Healthcare:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Lockbit Ransomware Group Hacked

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Securezoo

Securezoo

Securezoo's mission is to simplify and enhance information security by providing trusted security guidance, products, and information to small and mid-sized businesses and security professionals.

AVG Technologies

AVG Technologies

AVG is focused on providing home and business computer users with the most comprehensive and proactive protection against computer security threats.

Azeti Networks

Azeti Networks

Azeti Networks is a global provider of IoT technology to a variety of verticals including telecomms, oil/gas, manufacturing, finance and healthcare.

Securicon

Securicon

Securicon provides expert consulting for application, system and network security.

Repulsa

Repulsa

Repulsa provides state-of-the-art, patented, fast filtering with over 700 million malicious IP addresses and over 30 million categorized site listings updated daily.

Neudomains

Neudomains

Neudomains is a Corporate Domain Name Management and Brand Protection Online Specialist. One of the world's top providers of online brand protection and enforcement.

swIDCH

swIDCH

swIDch is a technology company that aims to eliminate CNP (card not present) Fraud.

IntelliGenesis

IntelliGenesis

IntelliGenesis provide comprehensive cyber, data science, analysis, and software development services that provide tailored, secure solutions for your critical data and intelligence needs.

Winbond Electronics

Winbond Electronics

Winbond is a Specialty memory IC company. Product lines include Code Storage Flash Memory, TrustME® Secure Flash, Specialty DRAM and Mobile DRAM.

FoxTech

FoxTech

FoxTech is an independent, friendly and deeply specialised cyber security company in the UK, with expertise spanning decades of Public Sector and Government services.

Omega Systems

Omega Systems

Omega Systems is a leading managed service provider (MSP) and managed security service provider (MSSP) to mid-market organizations.

PatchAdvisor

PatchAdvisor

PatchAdvisor core services include Vulnerability Assessments/Penetration Testing, Application Vulnerability Assessments, and Incident Response.

Third Wave Innovations

Third Wave Innovations

Third Wave Innovations (formerly RCS Secure) offers a full spectrum of cybersecurity safeguards and IT services.

Qodea

Qodea

Qodea (formerly Appsbroker CTS) is Europe's largest Google Premier only transformation partner.

Zorins Technologies

Zorins Technologies

Zorins Technologies is a leading IT company providing IT networking Equipment and expertise in managed services, consulting, and cybersecurity.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.