The EU is not satisfied with its current data protection legislation, despite the introduction of several new laws in recent years. This includes not only the GDPR (General Data Protection Regulation) but also the NIS Directive and the European Critical Infrastructure Directive.
With the cyber security landscape evolving rapidly, EU regulators have recognised the need for continual improvements. That’s resulted in two new pieces of legislation – NIS2 and CER (Critical Entities Resilience) Directive – which will replace their predecessors.
The European Union announced in November 2022 that it was replacing the NIS Directive, after it faced repeated criticism that its requirements were ineffective.
The new directive, NIS2, contains stricter rules and applies to a broader set of industries.
In a press release, the EU Council said that it “will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure”.
NIS2 updates the list of sectors that are within the directive’s scope, as well as the activities that are subject to its rules.
It also introduces a new “cap-size rule” for the identification of regulated entities. This means that all medium-sized and large organisations operating within the relevant sectors fill fall within NIS2’s scope.
The EU Council adds that the directive “includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for allowing national authorities to determine further entities covered”.
Organisations that could now fall under its scope include healthcare providers, IT-managed service providers, courier services, manufacturers, waste and water management providers, public administration entities, digital infrastructure providers, social networks and electronic communication service providers.
However, the directive will not apply to organisations that conduct activities in areas such as defence or national security, public security and law enforcement. Judiciary, parliaments and central banks are also excluded from its scope.
Elsewhere, NIS2 streamlines reporting obligations in an effort to reduce over-reporting, and its requirements have been aligned with sector-specific legislation, including DORA (the Digital Operational Resilience Act).
The CER Directive provides a framework to help organisations mitigate a range of risks that come with cyber security implications. This includes natural hazards, terrorist attacks and insider threats.
The CER applies to 11 sectors that have been deemed critical:
- Digital infrastructure
- Drinking water supply
- Financial market infrastructure
- Public administration
Its requirements state that covered entities must prepare for disruptive incidents, implementing measures to protect against, respond to, and recover from them.
The CER Directive covers three priority areas: preparedness, response and international cooperation.
Organisations with the CER Directive’s scope will need a national strategy to implement the changes, and they must conduct a risk assessment at least every four years to identify organisations that provide essential services.
Organisations within the CER’s scope must themselves perform risk assessments to evaluate cyber security threats. They must also implement measures to ensure their resilience and to notify competent authorities of disruptive incidents.
It also calls on member states to work with the EU Commission to develop a plan for a coordinated response to disruptions of critical infrastructure with significant cross-border relevance.
NIS2 and the CER Directive are now in a transition period, with the requirements taking effect on 18 October 2024.
Because it is a directive, the rules won’t apply automatically. Rather, each member state must transpose the requirements into national law.
Meanwhile, organisations that fall within the directives’ scope must review their practices and make any necessary changes to achieve compliance.