2 min reading
Mon Jun 06 2022

EU’s NIS 2 Directive to improve cybersecurity across European businesses


The year 2020 brought a wave of increased remote connectivity as businesses world wide compete to become more digital, they also increase their exposure on the Internet.

Digital transformation is encouraged, embraced, and rushed. Businesses need to securely let go of IT debt and old technology as they embrace new technologies.

All of this to say that the wave of remote connectivity and digital transformation can get business stuck between a rock and a hard place.

From a cybersecurity viewpoint connecting remotely and introducing new technology translates into an increased threat surface that malicious hackers can exploit. A common response from business is to increase cybersecurity spending without a strategy. They rush to figure out ways to 'fix the issue'.  However, the digital footprint resulting from increased connectivity and digital transformation is not a problem to be fixed but a process to be managed.

At European level the NIS 2 Directive aims to improve cybersecurity processes across European businesses.

The guidance from the Directive on security of network and information systems (the NIS Directive) describes legal measures which support cybersecurity by design. At a high-level some areas covered are

  • At national level EU countries will need to demonstrate cybersecurity preparedness.
  • Collaboration between all the EU Member States to exchange knowledge
  • Foster a culture of security across sectors that are vital for the European economy and society and that rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.

A pragmatic approach with the 'NIS Toolkit'

As the cybersecurity threat landscape moves fast, the NIS Directive attempts to keep up. The European Commission adopted a Communication to support Member States in their efforts to implement the Directive.

The idea is to provide practical information such as best practices on implementing the Directive from other Member States.

Last but not least important, the focus is on operators of essential services. They are now responsible for notifying national authorities of serious cyber incidents.

In conclusion, the NIS directive can be seen as a compliance requirement as well as an opportunity to improve security by taking guidance from regulators and exchange best-practices with industry peers.

Silvana Precup Ceeyu

Silvana Precup


Cybersecurity professional experienced in cross-functional roles bridging between top management, risk functions, IT and security operations teams. With a knack for TPRM and digital footprint.

Other Blogposts

Ceeyu UI

NIS2: Essential entities vs Important entities, what’s the difference?

The impact of NIS2 for essential and important entities is not much different when it comes to implementing controls to comply, as they are ...

December 11, 2023


The EU DORA regulation and third party risk

With the DORA regulation that the EU aims to strengthen the IT security of financial services and industries. This means banks, insurance co...

July 17, 2022


How to manage the third party risks posed by your critical suppliers

This blog post walks you through some ideas on how to navigate the complex web of third-party risks, focusing on critical suppliers.

June 27, 2022