EU Parliament, Council Agree on Cybersecurity Risk FrameworkNIS2 Directive Aims to Counter Increasing Cyberthreats to Europe
The European Parliament and the Council of the European Union, the EU's 27-member executive branch, have reached a provisional agreement to set a "baseline for cybersecurity risk management measures and reporting obligations."
The new directive, called NIS2, is a modernized framework based on the EU Network and Information Security Directive. It applies across sectors, including energy, transportation, health and digital infrastructure.
The Council of the EU tells Information Security Media Group that the agreement is only "provisional," meaning that the finalized legislative text is still subject to technical negotiations between the two co-legislators - the Council and Parliament. It would require formal approval by both institutions at a later stage, probably in June, the Council says.
After final approval, the entities will have a 21-month compliance window. "Once published in the official journal, the directive will enter into force 20 days after publication and [the] member states will then need to transpose the new elements of the directive into national law. Member states will have 21 months to transpose the directive into national law," the European Commission says.
The Commission initially proposed the latest framework in December 2020. It will replace the current NIS directive on the security of network and information systems. The 2016 NIS Directive called for EU members to implement measures "for a high common level of security of network and information systems" for critical sectors across the EU.
"As part of its key policy objective to make Europe fit for the digital age, the Commission proposed the revision of the NIS Directive in December 2020. The EU Cybersecurity Act that has been in force since 2019 equipped Europe with a framework of cybersecurity certification of products, services and processes and reinforced the mandate of the EU Agency for Cybersecurity (ENISA)," the European Commission says.
The New Framework
"The new framework has a wider scope to include medium-sized entities and streamlined incident reporting requirements," the International Association of Privacy Professionals says.
"The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement," according to the Council of the EU.
The directive will also establish the European Union Cyber Crises Liaison Organization Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.
The European Commission says that the latest framework is set up to counter Europe's increased exposure to cyberthreats. The NIS2 directive will also cover more sectors that are critical for the economy and society, including providers of public electronic communications services, digital services, waste water and waste management, manufacturing of critical products, postal and courier services and public administration, both at a central and regional level.
"It also covers more broadly the healthcare sector, for example by including medical device manufacturers, given the increasing security threats that arose during the COVID-19 pandemic. The expansion of the scope covered by the new rules, by effectively obliging more entities and sectors to take cybersecurity risk management measures, will help increase the level of cybersecurity in Europe in the medium and longer term," according to the European Commission.
Erfan Shadabi, a cybersecurity expert at cybersecurity firm comforte AG, tells ISMG that this is a strategic move by the European Commission as more industries have been recognized as "vital." Potential cyber incidents in these industries could have a knock-on effect on other industries and could cause disruption across the economy, he says.
"For companies, this is a good reminder that they need to rethink their security posture and determine whether or not they comply with the NIS directive. As ongoing incidents and these directives demonstrate, the unthinkable can quickly become highly likely for organizations at all levels," Shadabi says.
The Widening Scope
The latest framework also strengthens cybersecurity requirements imposed on the enterprises and addresses the security of supply chains and supplier relationships. The framework will hold top management accountable for noncompliance with the cybersecurity obligations.
"It streamlines reporting obligations, introduces more stringent supervisory measures for national authorities, as well as stricter enforcement requirements, and aims at harmonizing sanctions regimes across member states. It will help increase information sharing and cooperation on cyber crisis management at a national and EU level," the Commission says.
Thierry Breton, commissioner of the EU's internal market, says that as cyberthreats become more complex, "cooperation and rapid information sharing are of paramount importance."
"With the agreement of NIS2, we modernize rules to secure more critical services for society and economy. This is therefore a major step forward. We will complement this approach with the upcoming Cyber Resilience Act that will ensure that digital products are also more secure whenever they are used," he adds.
"The European Parliament and the Council have aligned the text with sector-specific legislation, in the particular regulation on the digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts," a Council of the EU statement says.
The two co-legislators have also proposed a voluntary peer-learning mechanism to increase mutual trust and learning from good practices and experiences to achieve a high common level of cybersecurity. They aim to streamline reporting obligations to avoid over-reporting and creating an excessive burden on the entities covered.
Greg Day, global field CISO at cybersecurity firm Cybereason, tells ISMG that it is "too early" to tell what impact, if any, the NIS2 directive will have.
"Being a directive, this is something that each country now has to convert into their own national law," he says.
Day says that one of the challenges in the previous version of the directive was that international companies struggled to truly understand what it meant to them, as they had to comply with each country's different implementation of the directive.
"What's been very positive to see of late is the recognition that as the world becomes more digital and threats continue to evolve, so must the legislative controls required," he says. But he adds that there is also the financial reality that not every agency in every country will have the same access to budgets and skills.