The EU Network & Information Security 2 (NIS 2) Directive: a GRC approach with the main related ISO standards

22 May 2024 06:08 PM By itSMF Staff

Reading time: ~ 2 min.

direttiva sulla responsabilità da intelligenza artificiale itsmf blog

The EU Network & Information Security 2 Directive (NIS 2)

Our today post is focused primarily on the Directive (EU) 2022/2555, the Network and Information Security directive issued by the European Parliament and the European Council, which is knowns also as the «NIS 2».

The NIS 2 Directive is focused on measures for a high common level of cybersecurity across the Union, and especially:
  • amending the Regulation (EU) No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC;
  • amending the Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)Text with EEA relevance;
  • repealing the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

We remember that this NIS 2 Direct (date 14 December 2022) entered into force on 13th January 2023 and its implementation in national regulation must be done on 17th October 2024 at the latest.

As an European Directive, it lays down the results or goals that each Member State must achieve, however it is up to the single country to devise their own laws on how to reach these results or goals.

Where does the EU Network & Information Security 2 Directive (NIS 2) apply?

The NIS2 applies to all the sectores that the law defines «critical», such as:
📘 energy;
📘 public services;
📘 financial services;
📘 health services;
📘 telecommunications;
📘 space;
📘 public administration;
📘 ect.

The EU Network & Information Security 2 Directive (NIS 2) structure

The Directive (EU) 2022/2555 on Network & Information Security (NIS 2) is divided in the following chapters:

🔖Whereas (144)
🔖 Chapter I: general provisions
🔖Chapter II: coordinated cybersecurity frameworks

🔖Chapter III: cooperation at union and international level

🔖Chapter IV: cybersecurity risk-management measures and reporting obligations

🔖Chapter V: jurisdiction and registration

🔖Chapter VI: information sharing

🔖Chapter VII: supervision and enforcement

🔖Chapter VIII: delegated and implementing acts

🔖Annex I: sectors of high criticality
🔖Annex II: other critical sectors

How can we manage the compliance with all the requirements set by NIS 2? Our solution is a GRC Approach: let's take a closer look in the chapter below.

How to apply the NIS 2 EU Directive?

We can choose a GRC approach to apply the Directive (EU) 2022/2555 that can be based on the main ISO standards in relationship with the law.

Lets check them out:

ISO 20000-1 on IT services;

ISO 27001 on Information Security; on Risk Management;

ISO 22301 on Business Continuity;

ISO 31000 on Risk Management;

ISO 27035 on Incident Management.

Our infographic on the NIS2 Directive application with our GRC approach (and the main ISO standards)

To better figure out  the «big picture», take a look at our infographic:
By Andrea Leonardi (VP @ Minerva Group Service, MP @ Alpemi Consulting & itSMF Swizerland board member).
If you want to keep you up-to-date with the most recent news on this topic, don't forget to follow our social media or subscribe on our newsletter.


Need to know more about it?

Click on one of the options below to enter in the itSMF Enviroment and for being updated the way which is best for you.

Subscribe to itSMF Newsletter
Get the benefits of Membership Program

Our sponsors

A special thanks to our Advanced Sponsors:

itSMF Staff