NIS2 Changes

NIS2 changes

At the end of January, the European Commission presented a proposal for a new Cybersecurity package. The Dutch implementation law for NIS2 (Cyberbeveiligingswet, cbw) is not ready yet, and the first changes to NIS2 have already been proposed. With a number of good reasons, by the way, given the developments in cybersecurity, digital resilience, geopolitics and also the EU's desire to lower regulatory burden for companies.

NIS2 regulation

NIS2 is a directive. Directives must be implemented in each EU member state with a local implementation law. In the Netherlands, this is the cyberbeveiligingswet (cbw). EU member states were required to implement their local law by October 2024. More and more countries have already completed the implementation (such as Belgium, Germany, Italy and Denmark). The Netherlands has postponed the law a number of times and the most recent expectation is now Q2 2026. The proposed changes to NIS2 by the European Commission may further push the implementation date of the cbw.

Key changes

What are the most important changes for NIS2?

‍

‍Geopolitical influence:

The geopolitical developments are reflected in the proposed amendments:

• Entities that own or manage “Strategic dual-use infrastructure” are covered by NIS2. This concerns civilian infrastructure, which is also used by the military in times of war to transport equipment, goods and military personnel;
• All types of sub-marine data transmission infrastructure will be covered by NIS2;
• Suppliers of European Digital Identity Wallets and Business Wallets come into the scope of NIS2 regardless of their size (as essential entities). This is because of the possible major impact in the event of incidents;
• EU member states must include the transition to post quantum cryptography in their national cybersecurity strategy.

‍

Modification of scope and definitions

• The threshold for being classified as an essential entity is being extended by the introduction of a new category of small mid-cap. As a result, fewer organizations will become essential. This rule mainly affects active supervision by regulators (the duty of care and reporting requirements for NIS2 organisations do not change as a result);
• Small DNS providers no longer fall under NIS2;
• Adaptation and clarification of (sub) sectors in scope:
  
  • The lower limit for electricity producers is 1 MW capacity;
  • Chemistry distribution has been removed. Chemical companies are in scope in case they have to report chemicals (under EU regulation 1907/2006);
  • A number of healthcare providers are excluded: healthcare providers who do not have to comply with EU regulation 2011/24 (patients' rights in cross-border healthcare): long-term care to support daily routine tasks, organ allocation and access to transplant organs and public vaccination programs).

‍

European implementation standards

In addition to the implementation standard for the IT Sector that has already been drawn up by ENISA, the European Commission can also impose implementation standards for other entities and sectors. The proposal states that Member States may subsequently no longer impose additional measures for those sectors.

‍

‍Other adjustments

• Organizations that fall under NIS2 can obtain certificates for which ECCF (EU Cybersecurity Certification Framework) sets up the certification schemes. Recently, a number of countries have strongly criticized ECCF. In the past six years, only one certification scheme has been delivered. This should now happen within 12 months;
• Better support for organizations that operate and are supervised in multiple Member States;
• Supply chain security guidelines must be developed so that a standard level and depth for security in the supply chain is reached. The NIS2 Supply Chain certificate is a good solution for this;
• The European Commission recommends not paying a ransom... this remains rather vague: As part of the International Counter Ransomware Initiative, the European Union supports a non-binding international policy “not to pay ransom”...
• IT companies no longer have to register separately with ENISA (The national entity will forward the registration from now on).