14 December 2022 — what could have been just another busy day for the EU cybersecurity community — became a landmark moment as the European Parliament and the Council of the European Union agreed to strengthen Europe’s cyber resilience with the new NIS2 Directive.
However, to date not all EU member states have implemented this decision, an unprecedented outcome in cybersecurity. The delay in transposing the directive into national legislation raises several questions.
- Is the cyber resilience of the EU and its individual member states at risk?
- What are NIS2’s implementation challenges and opportunities?
- Could NIS2 help bridge the EU’s old gap with the areas of national security and defence?
This analysis concludes that the evolution of NIS and NIS2 from internal market regulations to broader cybersecurity frameworks highlights their growing relevance for the defence sector and especially for the defence industry, whose cybersecurity-compliant products may directly link to national security. As Russia’s cyber and kinetic aggression against Ukraine underscores the need for resilience across both civilian and military domains, some member states are already including their defence sector into the NIS2 implementation. While the EU maintains a distinction between cybersecurity and cyber defence, national approaches — such as those highlighted in this analysis, from the Czech Republic, Estonia, and Lithuania — demonstrate how NIS2 compliance can strengthen the defence sector’s cybersecurity while – especially important in the most recent EU developments like the European Commission’s ReArm Europe plan – also creating strategic business advantages in the defence industry.
Download and read: The EU’s NIS2 Directive: A Business Opportunity for the Defence Sector (PDF)