Rules Navigator

Cybersecurity directive intends to increase European resilience to attacks

Photo: Adobe Stock Images

Thomas Hyrkiel

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Europe moves to modernise and upgrade its cybersecurity regulatory framework.

The European Parliament overwhelmingly voted to adopt a modernised cybersecurity framework, the NIS2 Directive, yesterday. NIS2 repeals and replaces the EU’s Network and Information Systems Directive.

The new rules are intended to make the European economy, deemed highly interconnected and therefore vulnerable, more resilient to cyber threats. Lead MEP Bart Groothuis said that “[r]ansomware and other cyber threats have preyed on Europe for far too long. We need to act to make our businesses, governments and society more resilient to hostile cyber operations”.

Modernise

The new rules are an attempt to modernise the existing framework in response to the increasing digitalisation of all aspects of the economy. The Directive lays down obligations both for member states as well as public and private entities.

The rules will apply to many government and public bodies along with a number of sectors deemed “essential”:

  • energy;
  • transport;
  • banking;
  • financial market infrastructure;
  • health;
  • drinking water;
  • waste water;
  • digital infrastructure;
  • public administration;
  • space.

In addition a number of other economic sectors defined as “important” will be brought within the scope of the rules:

  • postal and courier services;
  • waste management;
  • chemicals;
  • food;
  • manufacturing of specific products;
  • digital providers.

The new rules apply to all medium-sized and large companies in the selected sectors and include more onerous cybersecurity requirements

National authority

Member states are formally required to put in place a cybersecurity strategy whose objective is to achieve a high level of cybersecurity.

They will also need to designate a national authority that is responsible and a single point of contact for cybersecurity and its supervision.

Another feature of the new rules is the requirement to formally designate computer security incident response teams (CSIRTs) that are responsible for incident handling in designated sectors along with ensuring that an adequate reporting regime is in place for all entities designated as essential or important.

As with other areas of compliance the rules make clear that the designated authorities must have the power not only to supervise, but also to enforce the new rules with suspensions, bans, fines and sanctions – all part of the regulatory toolkit.

Stricter measures

For businesses the new rules mean stricter technical and operational requirements to bolster cybersecurity. These include at a minimum measures covering:

  • risk analysis;
  • information system security policies;
  • incident handling;
  • business continuity;
  • supply chain security;
  • security in the full lifecycle of network and information systems;
  • testing and auditing of cybersecurity measures;
  • cryptography and encryption.

Data storage and processing as well as managed security services are singled out as examples of the service providers that need to be more closely scrutinised under the supply chain security element.

No specific detail is provided on what constitutes a compliant cybersecurity regime and so the detail here is left in the hands of the member states or, rather, the specific designated national authorities. But the commission does explicitly leave the route open for laying down “the technical and the methodological specifications” for each of the regulatory measures.

When a cybersecurity incident that adversely affects the ability of the entity to provide its services takes place the entity must:

  • report the incident within 24 hours;
  • be able to provide status updates upon request;
  • produce a report on the incident within a month of it having taken place.

The adoption of the rules is an acknowledgement of how serious the cybersecurity issues have become over the years and how many important aspects of a modern economy are exposed to potential attack and disruption. Because implementation is in the hands of member states, the passage of NIS2 is likely to set off a flurry of regulatory action across the continent.

The number of sectors targeted by the new rules likely means significant additional investment in cybersecurity and related information technology infrastructure in the near and mid-term.

, , ,

You may also like