EU Cybersecurity Strategy and NIS 2 directive
Author: Elisa Magnanini
Date of publication: 07/07/2022
Covid-19 exposed the EU member states’ digital infrastructures to new threats. In response, the EU undertook a series of actions to reinforce the EU cybersecurity. For example, on 13 May 2022, the Council and the European Parliament agreed on the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive). This Directive revises the Network and Information System Directive (NIS Directive), correcting its shortcomings. The NIS 2 Directive is part of a larger framework the EU developed to reinforce the Union’s cybersecurity.
1. EU Cybersecurity Package
The European Commission’s intention to reform the NIS Directive was clear on 16th December 2020, with the Cybersecurity Strategy for the Digital Decade. In the Strategy, the Commission recognizes the targeting of digital infrastructures as a major global risk. Thus, the Commission is motivated to improve the EU’s cybersecurity while safeguarding fundamental rights and freedoms in the Union. To do so, the Strategy lays out a three-pillar approach, comprising:
1) resilience, technological sovereignty and leadership;
2) building operational capacity to prevent, deter and respond;
3) advancing a global and open cyberspace.
2. Resilience, technological sovereignty and leadership and NIS 2 Directive
Under the strategy’s first pillar, the Commission proposed reforming the NIS Directive of 2016. Despite its innovativeness, the NIS Directive resulted in increased fragmentation in the internal market. Therefore, the NIS 2 Directive should supplement the shortcomings of the first Directive. This is part of the effort to reinforce the resilience of private and public sectors performing an important role in the functioning of the Union’s economy and society.
2.2 NIS 2 Directive: what’s new?
Enlarged Scope. NIS 2 applies:
not only to energy and transports, but also to banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space.
To all medium and large companies operating in the critical sectors. The inclusion of small companies is left to the discretion of member states.
NIS 2 Imposes a risk management approach by issuing a minimum list of basic security elements.
Provides for a more secure supply chain and supplier relationships.
Reporting, Supervision and Sanctions
New and more precise provisions on the process of incident reporting, content of reports and timeline.
More stringent supervisory measures for national authorities and stricter enforcement requirements.
Harmonization of the sanction regimes across the member states. NIS 2 sets fines up to 10 million € or 2% of the total worldwide annual turnover.
NIS 2 calls for increased cooperation among the member states through the European Network and Information Security Agency (ENISA), the Cooperation Group and the European Cyber Crises Liaison Organization Network (EU-CyCLONe).
3. Next steps
The European Parliament and the European Council now need to formally adopt NIS 2 Directive. The two bodies are expected to vote in the upcoming months. Once the proposal is adopted, member states will have to transpose it into national legislation within 18 months.
4. Towards a more resilient EU
The NIS 2 Directive represents an essential step towards a stronger cybersecurity system across the Union. With more secure cyber infrastructures, European citizens will be able to safely enjoy their digital life!