Updated on 2022-11-29
The EU Council issued a new cybersecurity directive, NIS2, which would set standards for cyber risk management and reporting obligations across every sector. Read more: EU Council adopts NIS2 directive to harmonize cybersecurity across member states
Updated on 2022-11-28
After passing a provisional agreement in May, the European Council has formally adopted NIS2, a new EU directive that enforces a tougher set of cybersecurity incident reporting rules for crucial sectors, such as energy, transport, healthcare, space, public administration, and digital infrastructure. NIS2 replaces the older cybersecurity reporting framework NIS and widens reporting rules from large operators to also include mid-sized companies as well. The EU Parliament also formally passed the NIS2 regulations in October, and member states will have 21 months to incorporate the new NIS2 provisions into their national law. Read more:
- Strengthening EU-wide cybersecurity and resilience – provisional agreement by the Council and the European Parliament
- EU decides to strengthen cybersecurity and resilience across the Union: Council adopts new legislation
- Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience
Overview: European Union Agrees on NIS2 Language for Updated EU Cybersecurity Regulatory Requirements
The European Council and the European Parliament agreed on updated measures for a common level of cybersecurity across the EU, known as NIS2 (Directive on Security of Network and Information Systems). The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. It sets out minimum rules for a regulatory framework and defines mechanisms for cooperation among authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for common remedies and sanctions. NIS 2 will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.
- NIS2 is mostly about standardizing governance, enforcement and incident reporting/response across the EU. It includes a list of seven key elements addressing incident response, supply chain security, encryption and vulnerability disclosure. Organizations will have 24 hours after detection of an incident to submit an initial report. A full report will be required in 30 days. NIS2 expands the number of sectors covered, and specifically identifies social media platforms. If previous NIS rollout timelines hold for NIS2, compliance is likely to be required in 2024.
- Having consistent cybersecurity requirements across the EU will help with not only a consistent implementation, but also simplify requirements needed when doing business in or with EU based partners.
Read more in