- EU Member States improve their cybersecurity capabilities.
- More stringent supervision measures and enforcement are introduced.
- A list of administrative sanctions, including fines for breach of the cybersecurity risk management and reporting obligations is established.
- Increased EU-level cooperation.
- Establishment of European Cyber crises liaison organisation network (EU- CyCLONe) to support coordinated management of large scale cybersecurity incidents and crises at EU level
- Increased information sharing and cooperation between Member State authorities with enhanced role of the Cooperation Group.
- Coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU is established.
Cybersecurity risk management
- Operators of Essential Services (OES) and Digital Service Providers (DSP) have to adopt risk management practices and notify significant incidents to their national authorities.
- Strengthened security requirements with a list of focused measures including incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing, and the effective use of encryption.
- Cybersecurity of supply chain for key information and communication technologies will be strengthened.
- Accountability of the company management for compliance with cybersecurity risk-management measures.
- Streamlined incident reporting obligations with more precise provisions on the reporting process, content and timeline.
SECTORS COVERED BY THE NIS DIRECTIVE
BANKING AND FINANCIAL MARKET INFRASTRUCTURE
DIGITAL SERVICE PROVIDERS
Expanded scope to include more sectors and services as either essential or important entities.
PROVIDERS OF PUBLIC ELECTRONIC COMMUNICATIONS NETWORKS OR SERVICES
DIGITAL SERVICES SUCH AS SOCIAL NETWORKING SERVICES PLATFORMS AND DATA CENTRE SERVICES
WASTE WATER AND WASTE MANAGEMENT
MANUFACTURING OF CERTAIN CRITICAL PRODUCTS (SUCH AS PHARMACEUTICALS, MEDICAL DEVICES, CHEMICALS)
POSTAL AND COURIER SERVICES