European Union adopts new Cyber law increasing the security of network and information systems
After the adoption last month by the European Parliament and Council, the new Directive on the Security of Network and Information Systems (NIS2) will enter into force today, replacing and repealing the existing Directive (NIS).
The NIS2 represents a significant increase in the cyber requirements for companies in critical sectors, public administrations and infrastructure, clarifying and expanding the scope of the original Directive and identifying higher cyber security requirements for entities within its scope. The revised directive aims to harmonise cybersecurity requirements and implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement.
NIS2 introduces a size-cap as a general rule for identifying entities that will have to comply with the Directive, meaning that all medium and large sized entities operating within the sectors or providing services covered by the Directive will now be included in its scope. The new Directive includes provisions to ensure proportionality, a greater level of risk management and criticality criteria to aid member states in identifying other entities that will be covered. The text has also streamlined reporting obligations to make it easier for entities affected by cyber threats.
The text calls for member states to provide support and resources for SMEs that do need to comply with the Directive to help them achieve the requirements.
DIGITAL SME has previously produced a position paper on the Directive, in which we raised concerns regarding the support that members states will make available and the possible consequences for suppliers, who may be excluded from the scope but may still need to assess their compliance as part of their supply relationships. You can read the position paper below.
