There are no anticipated changes to local laws.
The Commission has adopted a proposal for a revised Directive on Security of Network and Information Systems (NIS 2 Directive)
Key elements of the Commission proposal
The new Commission proposal aims to address the deficiencies of the previous NIS Directive, to adapt it to current needs and make it future-proof.
To this end, the Commission proposal expands the scope of the current NIS Directive by adding new sectors based on how critical they are to the economy and society, and by introducing a clear size-based cap – meaning that all medium and large companies in selected sectors will be included in the scope. At the same time, it leaves some flexibility for Member States to identify smaller entities with a high-security risk profile.
The proposal also eliminates the distinction between operators of essential services and digital service providers. Entities would be classified based on their importance and divided respectively in essential and important categories with the consequence of being subjected to different supervisory regimes.
The proposal strengthens security requirements for the companies, by imposing a risk management approach providing a minimum list of basic security elements that must be applied. The proposal introduces more precise provisions on the process for incident reporting, content of the reports and timelines.
Furthermore, the Commission proposes to address security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in supply chains and supplier relationships. At the European level, the proposal strengthens supply chain cybersecurity for key information and communication technologies. Member States in cooperation with the Commission and ENISA, will carry out coordinated risk assessments of critical supply chains, building on the successful approach taken in the context of the Commission Recommendation on Cybersecurity of 5G networks.
The proposal introduces more stringent supervisory measures for national authorities, stricter enforcement requirements, and aims to harmonise sanctions regimes across Member States.
The proposal also enhances the role of the Cooperation Group in shaping strategic policy decisions on emerging technologies and new trends, and increases information sharing and cooperation between Member State authorities. It also enhances operational cooperation including on cyber crisis management.
The Commission proposal establishes a basic framework with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and creating an EU registry on that operated by the European Union Agency for Cybersecurity (ENISA).
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.