European Union Cybersecurity Landscape - Legal Developments
To print this article, all you need is to be registered or login on Mondaq.com.
Navigating the Evolving EU Cybersecurity Landscape and Compliance Guidance: NIS and NIS 2 Directive
In today's interconnected digital world, cybersecurity laws are essential safeguards against numerous cyber threats, including ransomware attacks, data breaches, and cyber espionage. The European Union is undoubtedly the forerunner when it comes to inaugurating the laws which regulate the digital space, be it data privacy, artificial intelligence, or cyber security.
This 'Round-Up' analyses the evolving EU cybersecurity landscape, highlighting key developments across jurisdictions. It offers insights into current and upcoming changes under the NIS Directives to help businesses navigate the regulatory environment. Additionally, it provides practical guidance for companies to comply with the directive's obligations, ensuring effective data protection and regulatory compliance.
The NIS Directive, formally known as the Directive on Security of Network and Information Systems, was introduced by the EU in 2016 to strengthen the cybersecurity resilience of critical infrastructure operators. This directive imposes obligations on operators of essential services (OES) and digital service providers (DSPs) to implement robust cybersecurity measures. These measures include risk management, incident reporting, and cooperation with national authorities, fostering a proactive approach to protecting vital networks and systems. The NIS Directive is a cornerstone in the EU's efforts to enhance cybersecurity readiness and resilience, laying the groundwork for future legislative initiatives.
Building on this framework, the NIS 2 Directive, formally known as Directive (EU) 2022/2555, represents a pivotal advancement in the EU's cybersecurity standards. It introduces enhanced measures to address evolving cyber threats and digital vulnerabilities, establishing a high common level of cybersecurity across the EU.
The shift from the NIS Directive to the NIS 2 Directive will have several implications for EU businesses. Firstly, NIS 2 expands the regulatory scope to include a wider range of sectors, necessitating more organizations to comply with cybersecurity obligations. This may require adjustments to security practices and investments in cybersecurity measures. Secondly, NIS 2 introduces stricter requirements for risk management, incident reporting, and cooperation with national authorities. Businesses may need to enhance their cybersecurity capabilities, such as implementing robust risk assessment processes and incident response plans. Overall, the transition presents an opportunity for organizations to strengthen their resilience against cyber threats and improve their cybersecurity posture.
We are awaiting developments regarding the transposition in Portugal, Slovenia, Romania, Netherlands, Malta, Luxembourg, Latvia, Ireland, Greece, Estonia, Denmark, etc. in the public domain.
This section deals with several key requirements for companies as stipulated in the NIS 2 Directive.
NIS 2 introduces two categories for entities: "important" and "essential." Both must meet the same requirements, but the difference lies in supervisory measures and penalties. "Essential" entities need to comply with supervisory requirements upon NIS 2 introduction, while "important" entities are subject to ex-post supervision, with action taken upon evidence of non-compliance.
NIS 2 simplifies scoping exercises for competent authorities. Sectors are defined, and any large (headcount over 250 or revenue over EUR 50 million) or medium (headcount over 50 or revenue over EUR 10 million) enterprise in these sectors is included. However, small or micro-organizations may not be excluded; Member States can extend requirements if specific criteria indicate their societal or economic importance.
NIS 2 requires the Member States to establish a list of entities which provide services that fall within the scope of NIS 2. Member States will require such entities to submit at least the following information to the competent authorities:
The final list of information required will be defined as part of the transposition of the Directive into law. Additionally, Member States may establish national mechanisms for entities to register themselves.
This section deals with several key requirements for companies as stipulated in the NIS 2 Directive.
To ensure that digital infrastructure and essential services remain flexible in the face of cyber threats, organizations must adhere to specific compliance requirements. The following table discusses the crucial technical, operational, and organizational measures to manage the risks posed to the security of network and information systems that essential entities have to undertake in order to be compliant.
To ensure that digital infrastructure and essential services remain flexible in the face of cyber threats, organizations must adhere to specific compliance requirements. The following table discusses the crucial technical, operational, and organizational measures to manage the risks posed to the security of network and information systems that essential entities have to undertake in order to be compliant.
Component | Companies are required to |
---|---|
Vulnerability assessment | conduct vulnerability assessments to identify known vulnerabilities in their systems. |
Incident response procedures | implement incident response procedures to detect, respond to, and recover from cyberattacks. |
Zero-day vulnerability detection | implement security measures to protect their networks and information systems from cyberattacks, including zero-day vulnerabilities. |
The NIS 2 directive outlines specific requirements for incident reporting, including the timeframe for reporting, the information to be included in the report, and the channels through which reports should be submitted. Timely and accurate incident reporting is essential for facilitating effective response and mitigation efforts, as well as for enhancing overall cybersecurity resilience across critical sectors. The NIS 2 Directive enlists as a basic security element the reporting of significant incidents that: have caused, and can cause harm, as well as notifying the service recipients of cyber threats.
The following table discusses the incident reporting structure as provided by the NIS 2 directive:
NIS 2 Requirement | When to Report | What to Report | Who to report to |
---|---|---|---|
A notification | without undue delay | any measures or remedies that those recipients can take in response to that threat; | recipients of services that are potentially affected by a significant cyber threat |
An early warning | without undue delay and, in any event, within 24 hours of becoming aware of the significant incident | indicates whether the significant incident is suspected of being caused by malicious acts | CSIRT or any competent Authority |
An incident notification | without undue delay and, in any event, within 72 hours of becoming aware of the significant incident | indicates an initial assessment of the significant incident, its severity and impact, | CSIRT or any competent Authority |
An intermediate report | upon the request of a CSIRT or the competent authority | relevant status updates |
CSIRT or any competent Authority |
A final report | not later than one month after the submission of the incident notification | (i) a detailed description of the incident; (ii) the type of threat triggering the incident; (iii) mitigation measures; and (iv) the cross-border impact of the incident. |
CSIRT or any competent Authority |
A progress report | in the event of an ongoing incident | (not specified) | CSIRT or any competent Authority |
The NIS 2 directive introduces the concept of top management accountability, emphasizing the responsibility of "management bodies" to own cybersecurity risks and ensure effective governance. This aims to foster better risk management practices and governance within organizations. The directive emphasizes the importance of clear accountability, although it does not solely focus on imposing sanctions. Instead, it calls for regular training for executives to enhance their understanding of cybersecurity risks and management practices. Management bodies of essential and important entities must approve cybersecurity risk management measures, supervise their implementation, and undergo regular training to enhance their knowledge and skills in cybersecurity risk assessment and management. The directive also encourages similar training for employees on a regular basis.
1. Hungary - Act XXIII of 2023, known as the Cybersecurity Certification and Cybersecurity Supervision Act ("CyberCert Act") - Forerunner in adopting the NIS 2 Directive.
2. Croatia - Croatia Cybersecurity Act, 2024 ("CCA").