New Cybersecurity Directive Agreed between the European Parliament and EU Member States
The New Legislation Will Bring About a Greater Cybersecurity Level across the European Union.
The Council together with the European Parliament has recently agreed upon a new cybersecurity directive called NIS2 that has the goal to bring about “a high common level of cybersecurity across the Union”. Once implemented, it will work on the improvement of resilience and incident response in both the public and the private sectors.
(…) the Council and the European Parliament agreed on measures for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole. Once adopted, the new directive, called ‘NIS2’, will replace the current directive on security of network and information systems (the NIS directive).
This comes as a response to the increased digitalization level as well as to the grown number of cyberattacks globally.
NIS2: the New Directive in the EU Cybersecurity
The goals of the new directive once adopted are:
Stronger Risk Management and Reporting
A standard for methods regarding cybersecurity risk management and reporting obligations will be established through this new directive. This includes sectors like digital infrastructure, energy, transport, and health.
The reporting obligations were streamlined in order to prevent over-reporting.
No More Divergences in Cybersecurity Requirements
With this updated directive put in place, there will be no more divergences in cybersecurity requirements and their implementation in distinct member states. In order for this to be accomplished, minimum guidelines for a regulatory framework will be enforced as well as structures that will make the cooperation amid significant authorities belonging to each member state efficient. An update of the list of industries and activities where cybersecurity obligations are involved together with remedies and sanctions will be provided with this new directive coming into effect.
NIS2 Comes with a New Size-Cap Rule
Unlike the old directive where the responsibility to choose which entities will meet the requirements to function as essential services operators would be of member states, the size-cap rule introduced by the new directive says “that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope”.
To determine these entities three aspects will be considered: proportionality, a greater risk management level, and “clear-cut criticality criteria”.
What’s important to mention here is that those entities engaged in operations that are associated with defence or national security, law enforcement, public security as well as the judiciary together with areas like parliaments and central banks are excluded, so these rules will not apply for them.
To respond to this increased exposure of Europe to cyber threats, the NIS 2 Directive now covers medium and large entities from more sectors that are critical for the economy and society, including providers of public electronic communications services, digital services, waste water and waste management, manufacturing of critical products, postal and courier services and public administration, both at central and regional level. It also covers more broadly the healthcare sector, for example by including medical device manufacturers, given the increasing security threats that arose during the COVID-19 pandemic. The expansion of the scope covered by the new rules, by effectively obliging more entities and sectors to take cybersecurity risk management measures, will help increase the level of cybersecurity in Europe in the medium and longer term.
The Directive’s Text Is Aligned with Sector-specific Legislation
In order to achieve legal clarity and coherence between the new directive and sector-specific legislation, its text was aligned with these acts, focused specifically on the DORA (Digital Operational Resilience Act) and the CER directive (Resilience of Critical Entities).
The Council and the European Parliament have yet to formally approve this provisional agreement.
21 months will be granted to member states to implement these measures into their domestic legislation from the moment this new directive will be published in the Official journal.
The European Cyber Crises Liaison Organisation Network will be also formally settled with this new legislation through which coordinated management of cyberattacks on a massive scale will be implemented.
Margaritis Schinas, Vice-President for Promoting our European Way of Life has also declared that:
By agreeing on these further strengthened rules, we are delivering on our commitment to enhance our cybersecurity standards in the EU. Today, the EU shows its clear determination to champion preparedness and resilience against cyber threats, which target our economies, our democracies and peace.