EU Council strengthens cybersecurity with updated legislation

The new NIS2 directive aims to improve resilience and incident response capacities in the EU.

We reported earlier that the European Parliament had voted to adopt a modernised cybersecurity framework, the NIS2 Directive, and that it will replace the current Network and Information Systems (NIS) Directive.

With the updated directive, the Council aims to set a higher common level of cybersecurity across the Union, and to keep improving resilience and incident responses in the public and private sector, as well as the whole EU.

“There is no doubt that cybersecurity will remain a key challenge for the years to come. The stakes for our economies and our citizens are enormous. Today, we took another step to improve our capacity to counter this threat,’ said Ivan Bartoš, Czech Deputy Prime Minister for Digitalization and Minister of Regional Development.

Reporting obligations

The NIS2 will set the grounds for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure. NIS2 will apply to public administrations at central and regional level, and states can decide whether to apply it to local level too. Excluded from the directive are activities concerning defence or national security, public security, and law enforcement. Judiciary, parliaments, and central banks are also excluded.

To harmonize the requirements and measures through the member states, the NIS2 directive will set out minimum rules for a regulatory framework and will have mechanisms for an effective cooperation among relevant authorities in each state.

EU-CyCLONe

In addition, the NIS2 directive will also establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents and crises.

NIS2 has also been aligned with sector-specific legislation, particularly the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), in order to provide legal clarity and ensure coherence between NIS2 and these acts.

Besides that, NIS2 will also streamline reporting obligations to avoid over-reporting and adding excessive burdens on entities.

The directive will be published in the EU’s Official Journal in the coming days and will enter into force on the 20th day following this publication. Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national jurisdiction.