New legislation is being introduced in the European Union (EU) to ensure critical infrastructure organizations are better protected against destructive cyberattacks.
Current legislation covering the security of network and information systems – the NIS Directive – was introduced in 2016 and was the first piece of EU-wide cybersecurity legislation. The NIS Directive required all EU member states to have national cybersecurity capabilities, participate in cross-border collaboration with other EU countries, and for all EU member states to supervise the cybersecurity of critical infrastructure operators. Critical infrastructure includes energy, transport, wastewater and water management, healthcare, public administration, digital infrastructure, telecommunications, postal and courier services, and manufacturers of critical products.
While the NIS Directive has had a positive impact, the increasing degree of digitalisation and interconnectedness of our society and the increasing number of cyber malicious activities at the global level, and in Europe, warranted a change to the existing legislation. The NIS 2 Directive was first proposed in 2020, and now political agreement has been reached on the new legislation between the European Parliament and EU member states.
The NIS 2 Directive will apply to medium and large organizations operating in critical infrastructure sectors and requires them to implement measures to manage cybersecurity risks, such as patching vulnerabilities in software. There are also new reporting requirements, which require cybersecurity incidents to be reported to the appropriate authorities within 24 hours of discovery,
The new legislation will strengthen the cybersecurity requirements for companies, help to ensure the security of supply chains, and introduces accountability for top-level management for non-compliance with their cybersecurity obligations. The penalties for non-compliance with cybersecurity obligations will be a fine of up to 2% of annual turnover for operators of essential services and 1.4% for operators of important services.
The new legislation is expected to increase the level of cybersecurity throughout Europe over the medium to long term. While political agreement has been reached on the NIS 2 Directive, the legislation must now be formally approved by each EU member state and the European Parliament. The compliance date will be 21 months from the date NIS 2 Directive is formally passed.
“Cyber threats have become bolder and more complex. It was imperative to adapt our security framework to the new realities and to make sure our citizens and infrastructures are protected. In today’s cybersecurity landscape, cooperation and rapid information sharing are of paramount importance,” said Thierry Breton, Commissioner for the Internal Market. “With the agreement of NIS2, we modernise rules to secure more critical services for society and economy. This is therefore a major step forward. We will complement this approach with the upcoming Cyber Resilience Act that will ensure that digital products are also more secure whenever they are used.”