The rules will ensure a safer and stronger Europe by expanding significantly the sectors and type of entities falling under its scope and by strengthening security requirements for companies.
Recent threats have intensified the need to quickly and jointly boost the EU’s cybersecurity for the protection of citizens and businesses. It is also crucial that critical sectors and infrastructure remain secure and resilient. By addressing these challenges, the NIS 2 Directive replaces the rules on the security of network and information systems (NIS Directive), which were the first EU-wide legislation on cybersecurity paving the way for a more innovative regulatory approach to cybersecurity in many Member States.
Safeguarding additional crucial sectors
Increased interconnection and digitalisation of certain sectors lead to more cyber threats. Ensuring that more sectors and entities have to take cybersecurity risk management measures will increase the level of cybersecurity in Europe. The NIS 2 Directive now covers additional sectorsthat are critical for the economy and society, including providers of public electronic communications networks and services, data centre services, waste water and waste management, manufacturing of critical products, postal and courier services and public administration entities. The rules also cover the healthcare sector more broadly, for example by including research and development of medicine or the manufacture of pharmaceutical products. Member States will have some discretion when identifying smaller entities with a high security profile that should be included within the scope of the Directive.
Improved security requirements for companies
The NIS 2 Directive also strengthens cybersecurity risk management requirements that companies are obliged to comply with. As under the NIS Directive, companies will have to take appropriate and proportionate technical, operational and organisational measures to manage the cybersecurity risks, prevent and minimise the impact of potential incidents. This requirement becomes much more concrete under NIS 2 with a list of focused measures including among others incident response and crisis management, vulnerability handling and disclosure, policies and procedures to assess the effectiveness of cybersecurity risk management measures, or cybersecurity hygiene and training.
To help increase information-sharing and cooperation on cyber crisis management at both national and EU levels, the Directive streamlines incident reporting obligations with more precise provisions on reporting, content and timeline. Furthermore, there are more stringent supervisory measures for national authorities, as well as stricter enforcement requirements, along with the list of administrative sanctions, including fines for breach of the cybersecurity risk management and reporting obligations.
Member States will have 21 months to transpose the NIS2 Directive into national law. During this time, Member States shall adopt and publish the measures necessary to comply with this Directive.
In December 2022, the Council has adopted a recommendation on a Union-wide coordination approach to strengthen the resilience of critical infrastructure where Member States are invited to accelerate preparatory work for the transposition and application of NIS 2 and of the Directive on the resilience of critical entities (CER).
Cybersecurity is a Commission priority and a cornerstone of the digital and connected Europe.
The first EU-wide law on cybersecurity, the NIS Directive, that came into force in 2016 helped to achieve a common high level of security of network and information systems across the EU. The NIS Directive covered several sectors, including energy, transport, banking and financial, health, drinking water supply and distribution, as well as digital infrastructure. It also covered digital service providers, in particular the providers of cloud services, online market places and online search engines.
As part of its key policy objective to make Europe fit for the digital age, the Commission proposed the revision of the NIS Directive in December 2020. The EU Cybersecurity Act that is in force since 2019 equipped Europe with a framework of cybersecurity certification of products, services and processes and reinforced the mandate of the EU Agency for Cybersecurity (ENISA). In September 2022, the Commission adopted the proposal for Cyber Resilience Act, which lays down cybersecurity requirements for products with a digital element, covering both hardware and software.