Fri. Nov 22nd, 2024

Brussels, 17 October 2024

The EU Commission has adopted today the first implementing rules on cybersecurity of critical entities and networks under the Directive on measures for high common level of cybersecurity across the Union (NIS2 Directive). This implementing act details cybersecurity risk management measures as well as the cases in which an incident should be considered significant and companies providing digital infrastructures and services should report it to national authorities. This is another major step in boosting the cyber resilience of Europe’s critical digital infrastructure.

The implementing regulation adopted today will apply to specific categories of companies providing digital services, such as cloud computing service providers, data centre service providers, online marketplaces, online search engines and social networking platforms, to name a few. For each category of service providers, the implementing act specifies when an incident is considered significant, to whom it needs to be reported and in which timeframe.

Today’s adoption of the implementing regulation coincides with the deadline for Member States to transpose the NIS2 Directive into national law. As of tomorrow, 18 October 2024, all Member States must apply the measures necessary to comply with the NIS2 cybersecurity rules, including supervisory and enforcement measures.

Next Steps

The implementing regulation will be published in the Official Journal in due course and enter into force 20 days thereafter.

Background

The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 and helped to achieve a common level of security of network and information systems across the EU. As part of its key policy objective to make Europe fit for the digital age, the Commission proposed the revision of the NIS Directive in December 2020. After entering in force in January 2023, Member States had to transpose the NIS2 Directive into national law by 17 October 2024.

The NIS2 Directive aims to ensure a high level of cybersecurity across the Union. It covers entities operating in sectors that are critical for the economy and society, including providers of public electronic communications services, ICT service management, digital services, wastewater and waste management, space, health, energy, transport, manufacturing of critical products, postal and courier services and public administration.

The Directive strengthens security requirements imposed on the companies and addresses the security of supply chains and supplier relationships. It streamlines reporting obligations, introduces more stringent supervisory measures for national authorities, as well as stricter enforcement requirements, and aims at harmonising sanctions regimes across Member States. It will help increase information sharing and cooperation on cyber crisis management at a national and EU level.

Factsheet
More information

Cybersecurity is one of the main building blocks for the protection of our citizens and our infrastructure. In today’s cybersecurity landscape, stepping up our capabilities, security requirements and rapid information sharing with up-to-date rules is of paramount importance. I urge the remaining Member States to implement these rules at national level as fast as possible to ensure that the services which are critical for our societies and economies are cyber secure.

Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age

Source – EU Commission


Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)

The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.

The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive that came into force in 2023. It modernised the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape. By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.

The Directive on measures for a high common level of cybersecurity across the Union (the NIS2 Directive) provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:

  • Member States’ preparedness, by requiring them to be appropriately equipped. For example, with a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority,
  • cooperation among all the Member States, by setting up a Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States. 
  • a culture of security across sectors that are vital for our economy and society and that rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.

Businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.

Forward to your friends