The European Union has updated its Network and Information Systems (EU NIS) Directive, strengthening cybersecurity requirements and extending them into new critical infrastructure sectors such as energy, health, transport and digital infrastructure. EU NIS 2 also expands the technical scope of the original NIS Directive to IoT. The Directive was passed in February 2023, and comes into force in October 2024.

EU NIS 2 (Network and Information Systems Directive 2) has significant implications for IoT devices and products. As the directive aims to enhance cybersecurity across the EU, it introduces new requirements that directly impact the security of IoT ecosystems.

The directive’s scope has been broadened to include sectors like energy, transport, health, and digital infrastructure. Many IoT devices and systems fall within these sectors, making them subject to EU NIS 2 compliance. Covered entities, including those using IoT devices, are required to conduct a risk assessment to identify potential cybersecurity threats. This includes evaluating the vulnerabilities of IoT devices and their potential impact on the overall security of the network.

EU NIS 2 mandates that covered entities must implement appropriate security measures to manage cybersecurity risks. For IoT devices, this means ensuring that they meet specific security standards. These include: secure boot processes; strong authentication mechanisms; regular software updates and patches; data encryption; and secure communication protocols.

In addition, covered entities must report cybersecurity incidents and breaches to competent authorities. This includes incidents involving IoT devices that compromise the security of the network or data. EU NIS 2 also emphasises the importance of supply chain security. This means that organisations must ensure that the IoT devices they procure meet specific security standards and that their suppliers are also compliant with the directive.

Overall, EU NIS 2 is intended to drive a higher level of security for IoT devices and products. By requiring risk assessments, security measures, and incident reporting, the directive is intended to help to mitigate the risks associated with IoT vulnerabilities and protect against cyberattacks.

The EU NIS 2 Directive is a significant update to the original EU NIS Directive. The differences include an expanded scope, enhanced security requirements, a stronger reinforcement regime, increased cooperation between member states, and extending the cybersecurity requirements to IoT and critical infrastructure.

The extended scope of the new directive means that more organisations, vendors, technologies and sectors fall under the scope of the regulations. It directly brings IoT under the force of the directive, whereas the original directive did not cover IoT directly, with its focus being instead on computing systems.

EU NIS 2 also provides for stricter penalties, including fines and potential legal action, for non-compliance.

The directive defines two classes of organisation that must comply with the cybersecurity requirements and are liable to fines: “essential”, and “important”. “Essential entities” are large organizations in sectors that are listed in Annex 1 of the NIS2 Directive. These Annex 1 sectors include: energy; transport; banking; financial markets infrastructure; healthcare; drinking water; digital infrastructure; and ICT services management (business-to-business).

Medium-sized organisations in Annex 1 listed sectors as well as large and medium entities listed in Annex 2 sectors are defined as “important entities”. Annex 2 sectors include: digital providers; postal and courier services; waste management; manufacturing, production, and distribution of chemicals; production, processing, and distribution of food; research; and manufacturing.

The directive requires EU member to impose a maximum fine of at least €10,000,000 or 2% of global annual revenue, whichever is higher for essential entities.

For important entities, the directive requires Member States to fine for a maximum of at least €7,000,000 or 1.4% of global annual revenue, whichever is higher.

The original directive encouraged cooperation between EU member states on maintaining cybersecurity. The new directive demands it, and establishes a Cooperation Group to enable information sharing, best practices, and joint initiatives. This can be seen as a result of extending the directive to cover critical national infrastructure, including energy, transportation and healthcare, with so many systems critically interrelated. It is also a result of growing strategic threats to European countries in the light of the invasion of Ukraine, and more aggressive stances by both nation state and criminal threat actors.

In addition to extending the scope of the NIS directive to now cover IOT, it also now addresses cloud computing and AI cybersecurity.

In summary, EU NIS 2 is a more comprehensive and stringent piece of legislation that aims to improve cybersecurity across the European Union. It builds upon the original NIS Directive by expanding its scope, strengthening security requirements, and enhancing enforcement mechanisms.