NIS and NIS2, what changes for the logs?


  • log
  • log management
  • regulatory compliance

NIS and NIS2, what changes for the logs?

The NIS (Directive 2016/1148/EC) is a 2016 European directive that became effective in 2018, aimed at strengthening cybersecurity in certain sectors considered essential for the European Union. Recently, the latest version of the NIS (NIS2) was published by the EU, which will replace the NIS1 and must be adopted and integrated by the various EU member states within 21 months of its adoption on November 28, 2022.

The directive has three objectives:

  • Increase the cybersecurity resilience of a specific set of companies considered fundamental within the EU system;
  • Reduce inconsistencies in resilience in the internal market in the sectors already covered by the directive;
  • Improve the level of common situational awareness and collective capacity in preparing for and responding to cyber threats.

What are the main novelties introduced by the NIS2?

The main novelty of the NIS2 is the expansion of economic sectors subject to the directive. In the original NIS, the following sectors were included:

  • Transport (air, rail, maritime, road)
  • Banks
  • Financial market infrastructures
  • Health
  • Drinking water
  • Digital infrastructure, which has been expanded to include data centres, content delivery network providers, trust service providers, public electronic communications network providers, and publicly available electronic communication services

In the NIS2, the following sectors have also been added:

  • Wastewater;
  • Management of B2B ICT services;
  • Public administration;
  • Space;
  • Digital providers, consisting of online markets, online search engines, social networking platforms;
  • Waste management;
  • Manufacturing areas;
  • Production and distribution of chemicals;
  • Production, processing, and distribution of food;
  • Manufacturing;
  • Postal services;
  • Couriers;
  • Research organizations.

Not all companies in these sectors will be subject to compliance, as there will be a distinction criterion based on size, i.e. medium and large-sized subjects.

Important, Essential, and Excluded Entities

The new NIS2 directive distinguishes between “essential” and “important” entities in order to have different application regimes of the regulation. Finally, some entities have been explicitly excluded, such as:

  • National defence or security
  • Public safety and law enforcement
  • Judiciary
  • Parliaments
  • Central banks

New sanctions for violating the NIS2

Violating the NIS2 entails two types of sanctions:

  • With the obligation of member states to establish the possibility and conditions, the suspension of the company’s activities, or the imposition of specific prohibitions;
  • Sanctions of up to €10 million or 2% of the previous year’s global turnover for essential companies, while sanctions of up to €7 million or 1.7% of the previous year’s global turnover for important companies;
    • If a cyber incident has resulted in a data breach under the GDPR, the administrative sanctions of the NIS2 do not apply.

Log Management and the NIS2

NIS1 required companies operating in the sectors considered essential (OES) to structure minimum security measures, including logging systems, log analysis, and log correlation. There is nothing to suggest that there may be differences within the NIS2. In any case, this will be revisited in 2024, as the deadline for the adoption of the NIS2 directive must take place by 28/08/2024.