EU Adopts NIS2 to Strengthen Cyber Security Risk Management

The European Union has adopted a new cyber security directive that intends to improve cyber resilience and incident response across a range of sectors. It replaces the NIS Directive, which came into force in 2018 but has been widely criticised for its ineffective requirements.

The new directive, NIS2, contains stricter rules and applies to a broader set of industries.

In a press release, the EU Council said that it “will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure”.

The European Commission hopes that NIS 2.0 will address the limitations that it identified with the current framework, such as its lack of guidance on protecting against and responding to cyber security incidents.

What’s changing?

NIS2 updates the list of sectors that are within the directive’s scope, as well as the activities that are subject to its rules.

It also introduces a new “cap-size rule” for the identification of regulated entities. This means that all medium-sized and large organisations operating within the relevant sectors fill fall within NIS2’s scope.

The EU Council adds that the directive “includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for allowing national authorities to determine further entities covered”.

Organisations that could now fall under its scope include healthcare providers, IT-managed service providers, courier services, manufacturers, waste and water management providers, public administration entities, digital infrastructure providers, social networks and electronic communication service providers.

However, the directive will not apply to organisations that conduct activities in areas such as defence or national security, public security and law enforcement. Judiciary, parliaments and central banks are also excluded from its scope.

Elsewhere, NIS2 streamlines reporting obligations in an effort to reduce over-reporting, and its requirements have been aligned with sector-specific legislation, including DORA (the Digital Operational Resilience Act).

Meanwhile, the directive is more closely affiliated with the CER (the Center for European Reform), which is an independent think-tank that provides commentary and debate on EU legal matters.

The EU Council said that this will create a “voluntary peer-learning mechanism [that] will increase mutual trust and learning from good practices and experiences in the Union, thereby contributing to achieving a high common level of cybersecurity”.

Next steps

NIS2 will be published in the Official Journal of the European Union in the coming days.

Member states will then have 21 months from this date to incorporate its requirements into national law.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.