The European Commission is proposing rules that would require EU bodies to implement a framework to better manage cyber security risks.
It’s part of a package of draft rules by the EU executive known as the Cybersecurity Regulation, and also includes plans to create a Cybersecurity Board to monitor the introduction of the new requirements.
The decision comes amid the continued threat of cyber attacks, with governments and essential service providers among those most likely to be targeted.
In a statement, the Budget Commissioner Johannas Hahn said: “In a connected environment, a single cybersecurity incident can affect an entire organisation. This is why it is critical to build a strong shield against cyber threats and incidents that could disturb our capacity to act.”
The rules would also require EU institutions, bodies and agencies to identify cyber security risks, establish a plan to improve their defences, perform regular risk assessments and share details about data breaches.
An apt proposal
The European Commission’s proposal comes amid the Russian invasion of Ukraine and fresh reminders of the damage that cyber attacks can cause to governments and critical infrastructure.
However, plans to bolster cyber security in EU have been in the works for a while. Last year, the EU announced plans to update the NIS Directive (Directive on Security of Network and Information Systems), a set of cyber security rules for OES (operators of essential services) and DSPs (digital service providers).
The NIS Directive came into effect in May 2018 – the same month as the GDPR (General Data Protection Regulation) – and fell victim to the attention given to the latter regulation. There was little discussion concerning the importance of the NIS Directive and the ways it can protect organisations.
The Directive was also comparatively less strict than the GDPR. As such, less work is required to amend the relevant processes.
EU regulators are hoping to correct that by updating the Directive’s rules. NIS 2.0, as it is currently known, intends to strengthen cyber security requirements for OES and DSPs.
The European Commission hopes that NIS 2.0 will address the limitations that it has identified with the current framework, such as its lack of guidance on protecting against and respond to major cyber security incidents that affect a single market.
Likewise, NIS 2.0 should address the changes in the way organisations operate and the increasingly digital work environment.
What else will NIS 2.0 cover?
Among the major differences with NIS 2.0 is that it will not include separate rules for essential service providers and digital service provider. It will instead combine its rules under the heading of ‘essential and important entities’ – reflecting the broad range of organisations that provide digital services.
In doing so, it will expand the scope of the Directive and could see many more organisations being subject to its rules.
Organisations that could now fall under its scope include healthcare providers, IT-managed service providers, courier services, manufacturers, waste and water management providers, public administration entities, digital infrastructure providers, social networks and providers of electronic communication services.
The proposal also includes an addition to the NIS Directive’s requirement that organisations implement appropriate technical and organisational security measures to manage cyber security risks to network and information systems, with organisations having further governance requirements.
NIS 2.0 would also contain changes related to notifying relevant competent authorities about security incidents. The proposal would mandate that notification should be triggered where the incident results in a ‘significant impact’ on the provision of that organisation’s services.
What happens next?
NIS 2.0 is subject to the outcome of negotiations between EU institutions, and there may well be significant changes between these proposals and the final draft.
However, we will almost certainly see versions of the rules outlined in this blog. As such, organisations that are already subject to the NIS Directive must keep an eye out for potential changes in their regulatory requirements.
Meanwhile, organisations that could fall into NIS 2.0’s broader scope should consider the steps they might have to take when the Directive comes into force.