NIS and NIS2 Directives

The NIS Directive (Directive (EU) 2016/1148) was the first piece of EU-wide legislation on cybersecurity. To address the evolving threat landscape, it was replaced by the NIS2 Directive (Directive (EU) 2022/2555), which significantly expands the scope and strengthens security requirements. Its core concept is to impose cybersecurity obligations on 'essential' and 'important' entities across critical sectors. Key mandates include implementing risk-based security measures, establishing incident handling capabilities, and reporting significant incidents to national authorities within strict deadlines (e.g., a 24-hour early warning). Within a risk management framework, NIS2 acts as a mandatory regulatory layer, compelling a high standard of cyber governance. Its requirements align closely with the ISO/IEC 27001 standard for Information Security Management Systems, which serves as a practical framework for achieving NIS2 compliance.

Applying the NIS2 Directive involves a systematic approach. Step 1: Scope and Risk Assessment. An enterprise must first determine if it falls within the scope of an 'essential' or 'important' entity. Following this, a comprehensive risk assessment of its network and information systems, guided by frameworks like ISO 31000, is conducted to identify threats and potential impacts. Step 2: Implementation of Security Controls. Based on the assessment, the enterprise must implement the baseline security measures outlined in Article 21 of NIS2, such as supply chain security, encryption, and access control. These measures can be mapped to controls in ISO/IEC 27001 Annex A. Step 3: Incident Response and Reporting. A robust incident response plan must be established to ensure significant incidents are reported to the national CSIRT within the mandated timeframes (e.g., 24-hour early warning, 72-hour detailed notification). This leads to measurable outcomes like achieving over 95% compliance rates and reducing financial impact from incidents by an average of 20%.

Taiwanese enterprises face three key challenges with NIS2. First, indirect supply chain compliance: companies supplying goods or services to EU essential entities may be contractually obligated to meet NIS2 standards, creating compliance pressure without direct legal applicability. Second, resource and expertise gaps: the comprehensive requirements of NIS2 demand significant investment in technology and skilled personnel, which can be a major hurdle for SMEs. Third, complex cross-border reporting: an incident involving a data breach requires navigating both NIS2's incident reporting timelines and GDPR's personal data notification rules. To mitigate these, enterprises should prioritize: 1) conducting a supply chain impact assessment, 2) engaging external experts for a gap analysis and phased implementation, and 3) developing an integrated incident response plan that harmonizes NIS2 and GDPR requirements.

Winners Consulting specializes in NIS and NIS2 Directives for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact