NIS2: Strengthening Cybersecurity & Resilience across the European Union

The annual economic and other societal damages of cybercrime and related cybersecurity and resilience challenges are now larger than all the damages related to natural disasters combined.

Good and quite essential to know that the EU Cybersecurity Strategy of the Commission has been further implemented. On 27 December 2022, the European Union’s upgraded directive on network and information systems has entered into force. It provides for measures for a high common level of cybersecurity across the European Union.

Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and inter-connectedness of society, including in cross-border exchanges. That development has led to an expansion of the cyber threat landscape, bringing about new challenges, which require adapted, coordinated and innovative responses in all Member States. The number, magnitude, sophistication, frequency and impact of incidents are increasing, and present a major threat to the functioning of network and information systems, and society at large.

As a result, incidents can impede the pursuit of economic activities in the internal market, generate financial loss, undermine user confidence and cause major damage to the Union’s economy and society. Cybersecurity preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market. Moreover, cybersecurity is a key enabler for many critical sectors to successfully embrace the digital transformation and to fully grasp the economic, social and sustainable benefits of digitalisation.

The NIS2 sets the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by NIS2, such as energy, transport, health and digital infrastructure.

The upgraded directive aims to harmonise cybersecurity requirements and implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement.

The directive will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents and crises.

While under the former NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, NIS2 introduces a size-cap rule as a general rule for identification of regulated entities. This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope. NIS2 includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for allowing national authorities to determine further entities covered.

NIS2 will also apply to public administrations at central and regional level.

In addition, member states may decide that it applies to such entities at local level too.

Moreover, NIS2 has been aligned with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts.

A voluntary peer-learning mechanism will increase mutual trust and learning from good practices and experiences throughout the EU, thereby contributing to achieving a high common level of cybersecurity.

NIS2 also streamlines the reporting obligations in order to avoid causing over-reporting and creating an excessive burden on the entities covered.

The NIS2 (2022/2555) has now repealed its predecessor the previous directive on security of network and information systems (2016/1148). NIS2 needs to be implemented by Member States and related organisations that fall within scope of the NIS2, before 27 September 2024. Less than 2 years to go. Better start today!

If you may want to learn more what this means for your organisation, sector, supply chain and ecosystems, what your readiness level is, where the opportunities are, and which risks to prepare for and mitigate? Just give us a call.