The Council of the European Union ("EU") adopted a new Directive to strengthen cybersecurity and resilience across the Union.
Following the European Parliament's approval on November 10, 2022, the Council of the European Union announced on November 28, 2022, that it adopted the new Directive (EU) 2022/0383 on measures for a high common level of cybersecurity across the Union ("NIS 2"), repealing Directive (EU) 2016/1148.
Aim and Scope
Based on the experience to date with Directive (EU) 2016/1148, NIS 2 aims at further harmonizing cybersecurity requirements and their implementation across the EU. It extends the scope of both the sectors and entities covered by the former Directive to include: (i) medium-sized and large "essential and important" entities operating in new sectors, including public electronic communications networks or services, social networking services platforms and data centers, space, public administration and manufacture of critical products, such as pharmaceuticals, medical devices, or chemicals; as well as (ii) certain critical "essential and important" entities, irrespective of their size.
Three Stage Incident Reporting and Risk Management
NIS 2 foresees more stringent reporting obligations, the most important of which is a three-stage incident reporting. NIS 2 furthermore imposes upon the responsible entities the obligation to implement cybersecurity risk management measures and sets minimum measures to be adopted internally and in the supply chain.
As a means of strengthening compliance with security governance, NIS 2 imposes upon management bodies of the responsible entities approval and supervisory responsibilities in relation to cybersecurity risk management and establishes management liability for violations of NIS 2.
Moreover, to address compliance and incident management, NIS 2 introduces stricter enforcement requirements. Administrative fines, applicable to specific breaches, may be imposed in the amount of up to 10 million EUR or 2% of the total worldwide annual turnover, whichever is higher, for essential entities, and up to 7 million EUR or 1.4 % for important entities.
European Cyber Crises Liaison Organization Network
NIS 2 also establishes the European Cyber Crises Liaison Organization Network ("EU-CyCLONe"), which will support the coordinated management of large-scale cybersecurity incidents and lay down mechanisms for effective cooperation among relevant authorities in each Member State.
Next Steps
NIS 2 will enter into force on the 20th day following its publication in the Official Journal of the EU. From this date, Member States will have 21 months to implement NIS 2 provisions into national law.
