Contents:
The European Commission has adopted new cybersecurity rules for critical infrastructure across the EU, taking a major step toward enhancing digital resilience.
This implementing regulation under the updated NIS2 Directive specifies cybersecurity measures for essential sectors and outlines when companies must report significant incidents to national authorities.
The rules apply to key digital service providers, including cloud computing, data centers, online marketplaces, search engines, and social networking platforms.
The regulation also defines which incidents are deemed significant enough to trigger mandatory reporting.
This adoption coincides with the deadline for Member States to incorporate the NIS2 Directive into their national laws.
Starting October 18, 2024, all EU countries are required to enforce NIS2 measures, ensuring a standardized level of cybersecurity, supervisory oversight, and enforcement across the Union.
What’s new in the NIS2 directive ?
The new NIS2 Directive balances the flexibility afforded to Member States with a uniform implementation strategy across the EU.
Here’s a breakdown of the key changes from NIS1 to NIS2 and their implications for ENISA, the European Commission, and Member States:
- Broader Scope: NIS2 now encompasses twice as many sectors, highlighting their digital transformation and their critical economic and societal roles.
- Classification by Size: Introduces size thresholds to differentiate between essential and important entities.
- Enhanced Security Requirements: Expands the list of security measures based on risk assessments, adding new responsibilities for management bodies.
- Structured Incident Reporting: Implements more organized incident reporting protocols with specific deadlines and stronger oversight for entities meeting minimum requirements.
- Distinct Regulatory Frameworks: Establishes separate regimes for essential and important entities to facilitate cross-border cooperation.
- ENISA’s Expanded Role: The European Union Agency for Cybersecurity (ENISA) will create a registry of cross-border entities and develop a European Vulnerability Database for the voluntary disclosure and registration of known vulnerabilities.
- Improved DNS Data Management: Mandates that Member States maintain accurate and complete databases of domain name registration data to enhance the security, stability, and resilience of the Domain Name System (DNS).
For additional resources such as implementing act, factsheet and questions & answers about the NIS2 Directive, read the full announcement here.
Achieve Cyber Resilience with Heimdal
To see how Heimdal can help you achieve cyber resilience and comply with the NIS2 Directive, check out our compliance page.
If you liked this piece, follow us on LinkedIn, X, Facebook, and YouTube for more cybersecurity news and topics.