Heimdal

EU Adopts New Cybersecurity Rules for Critical Infrastructure Under NIS2 Directive

Contents:

The European Commission has adopted new cybersecurity rules for critical infrastructure across the EU, taking a major step toward enhancing digital resilience.

This implementing regulation under the updated NIS2 Directive specifies cybersecurity measures for essential sectors and outlines when companies must report significant incidents to national authorities.

The rules apply to key digital service providers, including cloud computing, data centers, online marketplaces, search engines, and social networking platforms.

The regulation also defines which incidents are deemed significant enough to trigger mandatory reporting.

This adoption coincides with the deadline for Member States to incorporate the NIS2 Directive into their national laws.

Starting October 18, 2024, all EU countries are required to enforce NIS2 measures, ensuring a standardized level of cybersecurity, supervisory oversight, and enforcement across the Union.

What’s new in the NIS2 directive ?

The new NIS2 Directive balances the flexibility afforded to Member States with a uniform implementation strategy across the EU.

Here’s a breakdown of the key changes from NIS1 to NIS2 and their implications for ENISA, the European Commission, and Member States:

  • Broader Scope: NIS2 now encompasses twice as many sectors, highlighting their digital transformation and their critical economic and societal roles.
  • Classification by Size: Introduces size thresholds to differentiate between essential and important entities.
  • Enhanced Security Requirements: Expands the list of security measures based on risk assessments, adding new responsibilities for management bodies.
  • Structured Incident Reporting: Implements more organized incident reporting protocols with specific deadlines and stronger oversight for entities meeting minimum requirements.
  • Distinct Regulatory Frameworks: Establishes separate regimes for essential and important entities to facilitate cross-border cooperation.
  • ENISA’s Expanded Role: The European Union Agency for Cybersecurity (ENISA) will create a registry of cross-border entities and develop a European Vulnerability Database for the voluntary disclosure and registration of known vulnerabilities.
  • Improved DNS Data Management: Mandates that Member States maintain accurate and complete databases of domain name registration data to enhance the security, stability, and resilience of the Domain Name System (DNS).

For additional resources such as implementing act, factsheet and questions & answers about the NIS2 Directive, read the full announcement here.

Achieve Cyber Resilience with Heimdal

To see how Heimdal can help you achieve cyber resilience and comply with the NIS2 Directive, check out our compliance page.

Comply with the EU's NIS2 Directive with Heimdal

Get your hands on our comprehensive NIS2 Compliance Checklist, now available for download in three convenient formats: PDFWord, and Google Docs – ensuring you have everything you need to streamline your compliance.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

See More
FAQ
Frequently Asked Questions
1. When do the new NIS2 rules come into effect across the EU?
All EU Member States must implement the updated NIS2 Directive into their national laws by October 18, 2024. From this date forward, organizations operating within critical sectors will be legally required to comply with the updated cybersecurity measures, including stricter incident reporting and enhanced risk management protocols.
2. Which organizations are impacted by the NIS2 Directive?
The NIS2 Directive applies to a wider range of organizations than its predecessor. It includes essential and important entities in critical sectors such as energy, healthcare, transport, banking, digital infrastructure, cloud services, online marketplaces, data centers, and social networking platforms. The classification now also considers organization size, targeting medium and large companies that play a vital role in maintaining economic and societal stability.
3. What types of cybersecurity incidents must be reported under NIS2?
Under the NIS2 Directive, organizations must report any incident that has a significant impact on the provision of their services. This includes incidents that cause substantial disruption, lead to data breaches, or pose serious risks to users or other entities. Reports must be submitted to national authorities within 24 hours of becoming aware of the incident, followed by a more detailed report within 72 hours.