NIS2 Directive

SHARE:

A high common level of cybersecurity in the EU

  • Published:
  • Author: Panos Mouratidis

The Commission has submitted a proposal to replace the NIS Directive in order to increase Member States’ cybersecurity capabilities. The proposed expansion of the scope covered by NIS2 will assist in increasing the level of cybersecurity in Europe.

The political agreement was formally adopted by the Parliament and then the Council in November 2022. It entered into force on 16 January 2023, and Member States now have 21 months, until 17 October 2024, to transpose its measures into national law. The NIS2 proposal sets itself three general objectives:

-Increase the level of cyber-resilience of a comprehensive set of businesses operating in the European Union across all relevant sectors, by  putting in place rules that ensure that all public and private entities across the internal market, which fulfil important functions for the economy and society as a whole, are required to take adequate cybersecurity measures

-Reduce inconsistencies in resilience across the internal market in the sectors already covered by the directive, by further aligning i) the de facto scope; ii) the security and incident reporting requirements; iii) the provisions governing national supervision and enforcement; and iv) the capabilities of the Member States’ relevant competent authorities

-Improve the level of joint situational awareness and the collective capability to prepare and respond, by i) taking measures to increase the level of trust between competent authorities ii) by sharing more information and iii) setting rules and procedures in the event of a large-scale incident or crisis

Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services. Related measures shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:

-policies on risk analysis and information system security                

-incident handling

-business continuity, such as backup management and disaster recovery, and crisis management

-supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers

-security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

-policies and procedures to assess the effectiveness of cybersecurity risk-management measures

-basic cyber hygiene practices and cybersecurity training

-policies and procedures regarding the use of cryptography and, where appropriate, encryption

-human resources security, access control policies and asset management

-the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured

While Directive (EU) 2022/2555 will increase the Member States’ cybersecurity capabilities, its implementation will be proved difficult for an integrated approach across Member States.

Source: https://eur-lex.europa.eu

Contact us to receive a professional advisory in your area of interest