Legislation to Strengthen Cybersecurity Across the Union: NIS 2 Directive
After approval by the European Parliament on 10 November 2022 and the Council on 28 November 2022, the new Directive (EU) 2022/2555 on "measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive)" was published in the Official Journal of the European Union on 27 December 2022.
The NIS 2 Directive aims to achieve a common level of cybersecurity across the Union, with a view to improving the functioning of the internal market. The new legislation will impose stricter requirements with regard to risk management, reporting, and information exchange in the area of cybersecurity. It comes in response to the escalating threats brought on by the digital transformation and the rise in cyberattacks. It also comes in response to the Commission's proposal to replace the Network and Information Security (NIS) Directive of 2016, the implementation of which proved challenging and led to fragmentation at various levels throughout the internal market.
The new directive lays down obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity, and computer security incident response teams (CSIRTs). Essential sectors - the energy, transport, banking, health, digital infrastructure, public administration, and space sectors - will be covered by the new security provisions.
In order to achieve harmonisation, the directive sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each Member State. It formally establishes the European cyber crisis liaison organisation network (EU-CyCLONe), which will support the coordinated management of large-scale cybersecurity incidents and crises at the operational level and ensure the regular exchange of relevant information among Member States and Union institutions, bodies, offices, and agencies. The text clarified that NIS2 will not apply to entities carrying out activities in such areas as defence or national security, public security, and law enforcement. The judiciary, parliaments, and central banks are also excluded from its scope.
In order to prevent overreporting and placing an undue burden on the companies covered, the new text considerably simplifies reporting requirements. Member States must implement the provisions into their national law by 17 October 2024. The 2016 NIS Directive will be repealed with effect from 18 October 2024.