NEW ’NIS2’ CYBERSECURITY STANDARDS: EUROPE MOVING CLOSER TO TOUGHER CYBERSECURITY REQUIREMENTS

Following the European Council and Parliament's provisional agreement on networks and information systems, called NIS2, Europe has moved closer to new cybersecurity standards and reporting requirements. The new measures, first proposed by the European Commission at the end of 2020, look to boost the cyber resilience of entities across range of sectors deemed critical for the economy and society.

NIS2 will take the place of the present Directive on the Security of Networks and Information Systems, or NIS, which was adopted in 2016. The new directive establishes tighter criteria — as well as possible consequences, such as fines – for a broader range of industries that must adhere to computer security regulations.

It also aims to minimise "significant differences" in risk management and security reporting requirements among EU member states by adopting uniform criteria for assessing, reporting, and taking action to mitigate cyber risk.

The existing regulations on network and information system security (NIS Directive) were the first piece of EU-wide cybersecurity legislation, and they cleared the way for a dramatic shift in mindset, institutional, and legislative approaches to cybersecurity in many Member States. Despite their remarkable accomplishments and beneficial influence, they needed to be updated due to our society's expanding digitalisation and interconnection, as well as the increasing amount of cyber harmful operations on a global scale.

To address Europe's increased vulnerability to cyber threats, the NIS2 Directive now includes medium and large entities from a wider range of sectors that are critical to the economy and society, such as providers of public electronic communications services, digital services, wastewater and waste management, critical product manufacturing, postal and courier services, and public administration, both at the national and regional levels. Given the increased security threats that occurred during the COVID-19 pandemic, it also covers the healthcare sector more widely, for example by incorporating medical equipment manufacturers. The new standards' expanded reach will assist raise the level of cybersecurity in Europe in the medium and long term by effectively compelling more organisations and sectors to employ cybersecurity risk management procedures.

The NIS2 Directive also enhances the cybersecurity standards imposed on businesses, targets supply chain and supplier security, and holds top management accountable for non-compliance with cybersecurity duties. It intends to harmonise sanctions regimes across Member States by streamlining reporting responsibilities, introducing more tougher monitoring measures for national authorities, as well as stricter enforcement requirements. It will aid in the sharing of information and collaboration on cyber crisis management at the national and EU levels.

NIS2 also sets up a European cybercrisis liaison organization network, dubbed EU-CyCLONe, to help manage large-scale online attacks across Europe, and also to coordinate vulnerability disclosure and increase information sharing and cooperation between government and private sector organizations. Meanwhile, companies that don't comply with the new risk management and reporting rules face fines of up to €10 million or two percent of their global annual turnover, whichever is higher.

Once adopted by the Council and European Parliament, member states will have 21 months to incorporate NIS2 into their national laws.

European Commissioners, for their part, welcomed the agreement. 

"In today's cybersecurity landscape, cooperation and rapid information sharing are of paramount importance," said Thierry Breton, commissioner for the internal market, in a statement. "With the agreement of NIS2, we modernize rules to secure more critical services for society and economy. This is therefore a major step forward."