In the ever-evolving landscape of technology and fintech in particular, risk management is a necessity and a legal obligation. As digital services continue to disrupt traditional business models, it’s becoming important to think not only of opportunities, but of threats. Olegs Cernisevs, Doctor of Science, CTO of Blackcatcard and expert on risk management sheds light on the new EU directive that is aiming to further strengthen cybersecurity in European countries.
NIS2 is the latest European Union directive aimed at strengthening cybersecurity across essential and important sectors. It builds upon its predecessor, the original NIS Directive, by setting stricter requirements for businesses and organizations that play a crucial role in maintaining the economy and society. The goal of NIS2 is to enhance resilience against cyber threats, improve incident reporting, and create a more unified approach to cybersecurity across the EU.
The directive applies to a wide range of companies operating in key sectors such as energy, transport, banking, healthcare, public administration, and digital infrastructure. Businesses that fall under this category must meet stricter cybersecurity obligations, including risk management measures, incident reporting, and governance responsibilities. Even companies that were not previously covered by the original NIS Directive – from manufacturers of medical devices to social network providers – may now fall under NIS2 if they are deemed to be of significant importance to the EU’s critical infrastructure.
When discussing cybersecurity regulations, many also refer to DORA, the Digital Operational Resilience Act. While both NIS2 and DORA aim to strengthen cybersecurity, they serve different purposes. NIS2 focuses on a broad range of essential sectors, ensuring they have adequate cyber defenses and incident reporting mechanisms in place. DORA is specifically designed for the financial sector, addressing operational resilience in banks, insurance companies, and financial service providers. Apart from that, DORA is more focused on individual firms and their compliance with cybersecurity standards, while the aim of NIS2 is to create a united European crisis management structure, when it comes to cybersecurity.
When is the deadline on implementation of NIS2? It depends on the jurisdiction. Some countries, like Latvia, Italy, Hungary or Belgium, have already approved the national law based on the NIS2 directive. However, other countries including Malta are still in the process of transposing the directive into a law.
Companies affected by NIS2 should start preparing now to ensure compliance before the directive is fully enforced. This includes reviewing existing cybersecurity measures, implementing risk management strategies, and establishing clear protocols for reporting cyber incidents. Organizations must also pay close attention to supply chain security, as NIS2 emphasizes the need for strong protection across all levels of a business’s operations. Non-compliance could result in significant penalties, making it crucial for companies to take proactive steps.
However, according to Olegs Cernisevs, companies should be interested in effective risk management themselves and implement a proactive approach on cybersecurity even if their country did not yet implement the NIS2 directive. It’s not just about compliance with European regulations – it’s about gaining a competitive edge in the rapidly evolving industry.
As cybersecurity threats continue to evolve, NIS2 represents an important step toward a safer digital environment. Businesses should not only view it as a regulatory requirement but also as an opportunity to strengthen their defences against the ever-growing risks of cyberattacks.
