I Operate in the EU. How Does NIS2 Affect Me, and Why Act Now?

It seems that everyone’s talking about NIS2 these days, and with good reason. 

The Network and Information Systems 2 Directive—commonly referred to as NIS2—represents the most comprehensive cybersecurity legislation that the European Union has ever seen. Described as NIS1 on steroids, the purpose of NIS2 is to establish a core set of cybersecurity measures for organizations that provide ‘essential’ and ‘important’ services to the EU’s economy. 

Thirty-five domains fall within its scope. The usual sectors are covered (transport, health, energy, financial services) but also cloud providers, data centers, wastewater, chemical manufacturing, and more. Compliance is mandatory for both public administration bodies and private organizations providing essential services to the EU, regardless of their geographic location. 

Going forward, you can assume that any entity competing to be a supplier for these sectors will also have to demonstrate their compliance with NIS2. So, it casts a wide net.

For time-stretched and under-resourced organizations, it’s tempting to see NIS2 as (another) costly compliance exercise. You may be tempted to put it on the back burner. Each Member State has to convert this directive into its own legislation and, until that happens, we don’t know what the local law will look like or how it will be enforced.

But it’s short-sighted to think of NIS2 as a compliance exercise alone. 

In reality, NIS2 represents a golden opportunity to lock digital trust into everything you do—and unlock new service layers for your business.

Why has NIS2 been introduced?   

NIS2 is a response to the growing cyber threats posed by digitalization, AI, and other technological game-changers. Incidents have escalated since the COVID pandemic and the start of the Ukraine war. Bad actors are using increasingly sophisticated methods to attack a wider set of targets—often looking for a vulnerable point of entry within IT supply chains.

Yet, according to ENISA, the European Union Agency for Cybersecurity, European organizations allocate 41% less on cybersecurity than their US counterparts—hence the need to drive investments in this area. 

The NIS2 directive requires much higher common levels of security within the critical sectors than its predecessor, NIS1. This includes measures to bolster the security of supply chains, streamline reporting obligations, and implement more stringent supervision and crisis response.

The focus on critical infrastructures recognizes their indispensable role in society. A breach in the energy sector, for example, could provoke civil unrest, cripple the economy, and directly endanger lives.

Why should NIS2 compliance be a priority?

The ‘stick’ of the law is ever present. Organizations can expect more and greater fines and/or withdrawal of licenses to operate if they do not comply with NIS2, depending on how it is localized into domestic legislation.

But there’s also a major ‘carrot’ to be had. The directive lays the technology foundations for a much bigger opportunity: Digital trust.

Digital trust is the faith that we are interacting online with genuine people and organizations, rather than fraudsters, bots, and deep fakes. It is the unshakeable knowledge that the systems and technologies we rely on are secure, private, and dependable, whether we’re asking our bank to give proof of income to a landlord or transmitting energy usage data via a smart meter.

Identity and chain of custody are mission-critical to building trust in your digital assets. If your stakeholders don’t know for sure that they are interacting with you, not a fraudster, then they can’t trust anything else that happens downstream.

Just like police officers have to verify the integrity of evidence from collection to the courtroom, data must also be handled with care. Moving from point A to point B in a manner that is legitimate, transparent, and provable.

While trust is an abstract idea, the World Economic Forum calls it the “trillion-dollar opportunity for our global economy.” McKinsey research shows that companies doing the most to establish digital trust are 1.6 times more likely than the global average to see revenue and EBIT growth rates of at least 10%.

In other words, trust is the ‘extra’ element that sits on top of security in the value chain. It allows you to bring new services to market and secure a competitive advantage, faster growth, and higher revenues—and it all starts with NIS2.

Where the law goes, technology follows

Legislation is not usually something to get excited about. But especially in the EU, where cross-border transactions are both common and necessary, you cannot innovate in isolation. There must be some kind of legal framework to establish the necessary security baseline for digital interactions. Otherwise, you won’t have the confidence to share data with digitally secure partners and you potentially expose your stakeholders to risk.

This is where NIS2 excels. It makes security fit for purpose, so it can support the trust-based innovations of the future. One way it does this is by requiring zero trust as an essential security measure in all in-scope entities. 

Public Key Infrastructure (PKI) and certificate management are going to be especially important for organizations, to implement NIS2 right and build digital trust. PKI is a tried-and-true way to authenticate digital identity for multiple use cases. It increases trust because it provides a system and infrastructure to secure user and device identities, ensure data integrity, and confirm end-to-end data authenticity.

It’s easy to understand this in the context of cybersecurity, but harder to imagine the vast wider potential for businesses and society. 

To help you visualize this, consider the following use cases. They are made possible by digital trust technologies that are already within arm’s reach:

Promoting tax integrity in Brazil

Legislation in the state of São Paulo, Brazil makes it obligatory for retailers to transmit the tax collected from every retail purchase directly to the tax authority, SEFAZ-SP. As you might imagine, any vulnerability in this process leaves retailers exposed, with no solid proof that the right amount of tax has been collected and transmitted to the right authority, at the right time.

To build trust in the system, AET Europe implemented an IoT solution that links point-of-sale terminals to digital identities. It’s a unique solution that protects consumers, retailers, and the tax authority in São Paulo: Even if the tax remittances are lost, tampered with, or stolen, retailers and consumers will have a complete record of the payment, confirmation of its veracity, and the ability to prove full compliance. That’s trust.

Improving access to government services in Serbia

Serbia has traditionally been a paper-based society, relying on the physical transfer of forms from one municipality to another. This often resulted in citizens being excluded from basic social benefits due to lost, delayed, or overlooked paperwork. For example, a farmer may not have known about the availability of urgent subsidies because there was no transparency in the system.

To improve access to government services, AET Europe implemented digital identities allowing citizens and government entities to interact. Now, the same farmer could receive a message on their mobile phone informing them of their eligibility to apply for a certain grant or subsidy, based on their secure identity (e.g., location, occupation, and income data). This digital identity carries through the application, approval, and verification process, improving transparency and access to services.

Competitive edge for enterprises

Closer to home, consider the process of carrying out identity checks when onboarding employees, suppliers, and partners from outside the EU. Enterprises perform these checks routinely, and mostly it’s a once-and-done task. But what if you could prove the validity of the checks not just for the process itself, but for every further use of each identity check, whether that’s with tax authorities, insurance providers, or anyone else who needs to know that the person is who they claim to be?

In this scenario, a friction-removing digital trust architecture would eliminate the need to keep a safety reserve on your balance sheets, in case of error. That’s money an enterprise can put to better use, on higher-value projects. That enterprise would also be positioned to leapfrog companies that cannot hire as quickly, or offer such a high-quality experience.

What can organizations do now?

When viewed through the lens of trust, it’s clear that preparing for NIS2 isn’t a backroom compliance issue. It’s an opportunity to build the transformative security infrastructure that will allow you to launch and operate highly trusted digital services.

Right now, organizations face the complex task of assessing current infrastructures, selecting the right technology, meeting legal requirements, and engaging employees in the implementation process. It’s a challenging endeavor, so make sure your focus is right.

Start with what you can achieve in terms of your competitiveness, stakeholder relationships, profitability, and openness to new business models. Team up with a trusted partner. Bring trust into the conversation, and use that to clarify priorities and guide your investment.

It may be two or three years before the NIS2 directive becomes effective in Dutch law, so you do have some time. Everyone benefits if you use it proactively!