Examining The NIS2 Directive From Outside The EU

Uploaded on 2025-05-16 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Law

The NIS2 Directive, which builds upon the original Network and Information Systems (NIS) Directive, aims to enhance the cybersecurity posture of critical sectors across the European Union.  

The original 2016 NIS Directive aimed to enhance the cyber resilience of EU Member States by establishing common security standards and incident reporting requirements for critical infrastructure and digital services.

However, its implementation proved challenging, leading to fragmentation across the internal market. Each Member State was given considerable flexibility in interpreting and applying the directive, resulting in varying levels of compliance, inconsistent regulatory approaches and differing cybersecurity practices across borders.  

It became apparent that this lack of uniformity created complexities for organisations operating in multiple countries hindered effective cross-border cooperation and reduced the overall effectiveness of the directive in creating a cohesive and secure digital environment across the EU. 

More Cohesive EU Cybersecurity  

As analysis from Global Regulatory Insights puts it: “The [original] NIS Directive makes an earnest attempt to foster cross-border cooperation for bolstering cybersecurity within the European Union. While it has made notable strides in promoting information sharing and mutual assistance, certain limitations, chiefly operational complexities and resource constraints, still need to be addressed. With the directive undergoing review and updates, there is an opportunity to refine these mechanisms to create a more cohesive and effective cybersecurity environment across the EU.” 

So, in 2021, the EU proposed a new, more encompassing directive, NIS2, which would address the issues relating to the original directive, while strengthening security requirements, addressing supply chain security, streamlining reporting obligations and creating more stringent supervisory measures and stricter enforcement requirements, and standardise penalties.  

NIS2 officially entered into force in January 2023 – underlining the urgency of the new Directive - with Member States being given until October 17, 2024, to incorporate it into national law.  

Stricter Cyber Security  

NIS2 attempts to address the emerging threats and vulnerabilities organisations face, mandating stricter cybersecurity measures and greater accountability. But, while offering several strengths in bolstering cyber resilience, it still has some weaknesses.  

One of the new directive’s primary strengths is its comprehensive approach to cybersecurity. It significantly broadens the scope of entities required to comply, including medium and large organisations in more sectors than its predecessor. By extending the directive’s reach to cover a wider range of services, NIS2 ensures that more essential and important entities are adequately protected against cyber threats. It also introduces more stringent security measures and incident reporting requirements, compelling organizations to adopt a proactive stance on cybersecurity. This is crucial, as cyber threats are growing in both volume and sophistication, and businesses need to be resilient in the face of persistent cyberattacks. 

NIS2 is the latest attempt to bring a unified standard to cybersecurity across the EU, which can reduce fragmentation and improve the overall security posture of member states.  

By harmonising cybersecurity regulations, NIS2 aims to create a level playing field, where all entities are subject to the same rules and standards. This not only simplifies compliance for organisations operating in multiple EU countries but also fosters cross-border cooperation in tackling cyber threats, which are often transnational in nature. In doing this, NIS2 enhances collective cybersecurity efforts, enabling better sharing of threat intelligence and coordinated responses to incidents. 

NIS2 Weaknesses 

But while NIS2 has its merits, it is not without its weaknesses. One of the key criticisms of the directive is its potential to place a significant burden on organisations, particularly smaller entities that may lack the resources to implement and maintain the required security measures. While the directive aims to exclude micro and small enterprises, the expanded scope to include medium-sized entities may still pose challenges. Costs associated with compliance, including investments in technology, personnel, and training, can be substantial. For organisations operating on thin margins or with limited cybersecurity expertise, these requirements may become overwhelming, potentially leading to reduced competitiveness or even non-compliance. 

Another perceived weakness of NIS2 is the directive’s prescriptive nature, which may not fully account for the dynamic and rapidly evolving nature of cyber threats. The directive mandates specific security measures and reporting procedures, which, while necessary to some extent, can also lead to a ‘checkbox’ mentality among organisations.  

Rather than fostering a culture of continuous improvement and adaptation, organisations might (have to) focus on mere compliance, potentially neglecting the broader strategic aspects of cybersecurity. Reliance on standardised measures may not always align with the unique risk profiles and needs of different sectors or organisations, resulting in a lack of flexibility in addressing diverse cybersecurity challenges. 

The UK Opportunity 

Given these strengths and weaknesses, the UK, no longer bound by EU directives post-Brexit, has an opportunity to chart its own path in cybersecurity regulation. Rather than adopting NIS2 wholesale, the UK government might consider an approach that balances regulatory oversight with flexibility and innovation.  

A potential alternative route, for example, might involve a more risk-based, outcome-focused framework, where the emphasis is placed on achieving specific security outcomes rather than adhering to rigid requirements. 

This approach would allow organisations to tailor their cybersecurity strategies to their specific risk profiles and operational contexts, promoting a culture of continuous improvement rather than mere compliance.  

The UK could also encourage greater collaboration between the public and private sectors, fostering an environment where threat intelligence is shared openly, and best practices are developed collectively. By adopting a more adaptive and collaborative approach, the UK could not only enhance its own cybersecurity posture but also position itself as a leader in cybersecurity innovation on the global stage. 

The UK could also focus on incentivizing organizations to invest in cybersecurity by offering financial support, tax breaks or other benefits to those that demonstrate robust security practices.  

Such measures could help alleviate the burden of compliance costs, particularly for smaller entities, while encouraging a proactive stance on cybersecurity. By aligning incentives with desired outcomes, the UK government could foster a more resilient and secure digital environment, where organisations are motivated to go beyond the minimum requirements and continuously enhance their security capabilities. 

While the NIS2 Directive certainly presents a well-considered, robust framework for enhancing cybersecurity across the EU, it is not without its flaws. The directive’s prescriptive approach and the potential compliance burden on organisations highlight the need for a more balanced strategy.  

The UK, with its newfound regulatory independence, has an opportunity to take a more flexible and innovative approach, focusing on risk-based outcomes, collaboration and incentivisation. By doing so, the UK can not only ensure a strong cybersecurity posture for its own organisations but also set an example for other nations to follow in the global fight against cyber threats. 

Notis Iliopoulos is VP of MRC at Obrela

You Might Also Read: 

EU To Strengthen Cyber Defence In Healthcare:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Lockbit Ransomware Group Hacked
China Introducing Strict Controls On AI Data Centres »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Brit

Brit

Brit PLC is a market-leading global specialty insurer and reinsurer, focused on underwriting complex risks including cyber, privacy and technology.

Salient CRGT

Salient CRGT

Salient CRGT is a leading provider of health, data analytics, cloud, agile software development, mobility, cyber security, and infrastructure solutions.

Cyber Seguridad (Cyberseg)

Cyber Seguridad (Cyberseg)

Cyberseg provides specialized Cybersecurity services, including managed services (SOC / CERTs) and solutions for the protection of critical infrastructures.

DynaRisk

DynaRisk

DynaRisk helps companies protect their staff, clients and supply chain from cyber threats by enabling people to take action for themselves.

Agesic

Agesic

Agesic is an institution that leads the development of the Digital Government and the Information and Knowledge Society in Uruguay.

FileWave

FileWave

FileWave offers a single solution for managing apps, devices, and more for Mac, Windows, and mobile devices.

ISMS.online

ISMS.online

ISMS.online is a cloud software solution for fast & cost-effective implementation of an information security management system and achieve compliance with ISO 27001 and other standards.

QGroup

QGroup

QGroup has been re-designing the consultancy industry since 2012. We're a rapidly expanding group of consulting companies that deliver bespoke IT services including cybersecurity.

Technisanct

Technisanct

Technisanct works with Governments, especially Law Enforcement and Defence agencies, helping them in monitoring threats, managing their data and resolving their forensic needs.

Input Output (IOHK)

Input Output (IOHK)

IOHK is one of the world's pre-eminent blockchain infrastructure research and engineering companies.

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV) is a 6000+ members angel investing firm which supports new-age entrepreneurs by connecting them with a diverse group of investors.

PKI Solutions

PKI Solutions

PKI Solutions offers Public Key Infrastructure (PKI) products, services, and training to help ensure the security of organizations now and in the future.

Riskonnect

Riskonnect

Riskonnect technology empowers organizations with the ability to anticipate, manage, and respond in real-time to strategic, operational, and digital risks across the extended enterprise.

Central Intelligence Agency (CIA) - USA

Central Intelligence Agency (CIA) - USA

The CIA is an independent agency responsible for providing national security intelligence to senior US policymakers. This includes cyber security related activities.

NeuroID

NeuroID

NeuroID combines the power of industry-leading behavioral analytics with advanced device and network intelligence to create your first line of defense against malicious bots, bad actors, and fraud.

Trustlink Technologies

Trustlink Technologies

Trustlink Technologies is an information technology company founded with a steadfast vision to fortify the digital landscapes of businesses through a foundation of trust.