The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 and helped achieve a higher and more even level of security of network and information systems across the EU. In view of digitalisation in recent years, the European Commission believes that it is in need of an update.
Under NIS2, more stringent supervision measures and enforcement measures are expected to be introduced. It is also expected there will be established a list of administrative sanctions, including fines for breach of the cybersecurity risk management and reporting obligations.
NIS2 will provide for greater cooperation both at EU and Member State levels, including:
- The establishment of a European Cyber crises liaison organisation network (EU- CyCLONe) to support coordinated management of large scale cybersecurity incidents and crises at EU level
- Increased information sharing and cooperation between Member State authorities with enhanced role of the Cooperation Group
- Coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU
Cybersecurity risk management
NIS2 will strengthen security requirements with a list of focused measures including incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing, and the effective use of encryption.
NIS2 will also strengthen the security of supply chains for key information and communication technologies.
Importantly, we expect the European Commission to demand greater accountability of company management for compliance with cybersecurity risk-management measures.
We also expect streamlined incident reporting obligations with more precise provisions on the reporting process, content and timeline.
NIS2 is expected to expand in scope to include more sectors and services as either essential or important entities. Sectors falling within scope are likely to include the following:
- Providers of public electronic communications networks or services
- Digital services such as social networking services platforms and data centre services
- Waste water and waste management
- Manufacturing of certain critical products such as pharmaceuticals, medical devices and chemicals
- Postal and courier services
- Public administration
NIS2 is a key part of the European Commission’s updated cyber cyber strategy. However, legislative wheels in Brussels turn slowly and the proposal will now be subject to significant negotiations between legislators, following which Member States will have a further 18 months to transpose it into national law.