The EU’s new NIS2 Directive on Cybersecurity

Article by Tsaaro

7 min read

The EU’s new NIS2 Directive on Cybersecurity

On account of the increasing degree of digitization and interconnectedness in society, the European commission noted concern on the rising number of malicious activities at the global level and decided to update the 2016 NIS directive (Directive (EU) 2016/1148). In follow up to the directive proposed in December 2020, the European Parliament and EU member states reached a political agreement for a high common level of cybersecurity across the Union (Network and information systems 2 Directive i.e., the NIS2 Directive). The new directive aims at improving cybersecurity and the resilience of both public and private sector entities in the European Union.

In the series of control over the ill effects of the digital revolution, recently, the European Commission proposed a plan to “detect, report, block, and remove” child sexual abuse images and videos from online service providers, including messaging apps, an action that prompted concerns that it may undermine end-to-end encryption (E2EE) protections. In a similar vein,  the draft version of NIS2 explicitly spells out that the use of E2EE “should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security and to permit the investigation, and detection and prosecution of criminal offences in compliance with Union law.”,

THE ISSUE WITH NIS DIRECTIVE

The scope of implementation left to the member states led to fragmentation across states. The reasons for such fragmentation include the unclear delimitation of the NIS Directive’s scope of application, security and incident reporting obligations, and the supervision and enforcement requirements.

NETWORK AND INFORMATION SYSTEM 2

Scope:

With a significant increase in the number of entities covered, the NIS2  obliges more sectors to take technical and organisational measures to manage risks posed to the security of networks and information systems. In fact, where the NIS Directive included in its scope of application operators of essential services and digital services providers, the NIS 2 Directive proposes to replace the same with two new categories of entities

Now the NIS2 Includes:

    • Annex I: ‘Essential sectors’ covered by the new security provisions include: health, energy, transport, banking, digital infrastructure, public administration and space sectors.
    • Annex II: ‘Important sectors’ include: entities manufacturing medical devices, postal services, waste management, food production and processing and digital providers.

Public and Private:

Article 2  of the NIS 2 Directive establishes that the directive applies to certain public and private ‘essential entities’ operating in the sectors listed in Annex I of the Directive (energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, and space) and to certain ‘important entities’ operating in the sectors listed Annex II of the NIS 2 Directive (postal and courier services, waste management, manufacture, productions, and distribution of chemicals, food production, processing, and distribution, manufacturing, and digital providers). In addition, a size-cap rule is introduced, according to which all medium and large entities, as defined by Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises, operating in the above mentioned sectors, would automatically fall within the NIS 2 Directive’s scope of application (Recital 8 of the NIS 2 Directive).

Flagging & Into Effect:

The revamped legislation requires the flagging of cyber security incidents within 24 hours of the reporting, failing which monetary penalties can be imposed. Also, as per the agreement, the European Union member states are mandated to incorporate the provisions into their national law within a period of 21 months from when the directive goes into force.

Note: For the adoption of the NIS2 Directive, both the Parliament and the Council, as co-legislators, will need to agree on the final text.

2 thoughts on “The EU’s new NIS2 Directive on Cybersecurity”

  1. I’ve been exploring for a little bit for any high quality articles or blog posts on this sort of area . Exploring in Yahoo I at last stumbled upon this site. Reading this info So i am happy to convey that I’ve a very good uncanny feeling I discovered exactly what I needed. I most certainly will make certain to do not forget this web site and give it a glance regularly.

Leave a Reply

Your email address will not be published. Required fields are marked *

Tsaaro Consulting

At the Singapore International Cyber Week 2024, The Cyber Security Agency (CSA) of Singapore released Guidelines on Securing Artificial Intelligence …

Tsaaro Consulting

The European Data Protection Board (EDPB) on 8th October 2024, issued draft Guidelines 1/2024 on processing of personal data based …

Tsaaro Consulting

Introduction   With data playing a pivotal role in business operations, ensuring data privacy compliance has become a key focus in …

Tsaaro Consulting

The FinTech industry has transformed the financial landscape, offering customers digital solutions that make banking, lending, insurance, and investing more …

Tsaaro Consulting

In a rapidly evolving financial landscape, the global open banking market is set to skyrocket from $7.29 billion in 2020 …

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them