Cybersecurity: Stronger rules start to apply for the cyber and physical resilience of critical entities and networks
Recent threats to the EU’s critical infrastructure have attempted to undermine our collective security. Already in 2020, the Commission had proposed a significant upgrade to the EU’s rules on the resilience of critical entities and the security of network and information systems. Today, two key directives on critical and digital infrastructure will enter into force and will strengthen the EU’s resilience against online and offline threats, from cyberattacks to crime, risks to public health or natural disasters – the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) and the Directive on the resilience of critical entities (CER Directive).
The NIS 2 Directive will ensure a safer and stronger Europe by significantly expanding the sectors and type of critical entities falling under its scope. These include providers of public electronic communications networks and services, data centre services, wastewater and waste management, manufacturing of critical products, postal and courier services and public administration entities, as well as the healthcare sector more broadly. Furthermore, it will strengthen the cybersecurity risk management requirements that companies are obliged to comply with, as well as streamline incident reporting obligations with more precise provisions on reporting, content and timeline. The NIS2 Directive replaces the rules on the security of network and information systems, the first EU-wide legislation on cybersecurity.
Against an ever more complex risk landscape, the new CER Directive replaces the European Critical Infrastructure Directive of 2008. The new rules will strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. 11 sectors will be covered: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food. Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy.
Member States have 21 months to transpose both Directives into national law. During this time, Member States shall adopt and publish the measures necessary to comply with them.
In December 2022, the Council has adopted a recommendation on a Union-wide coordination approach to strengthen the resilience of critical infrastructure where Member States are invited to accelerate preparatory work for the transposition and application of NIS 2 and of the Directive on the resilience of critical entities (CER).
More information on the NIS2 Directive is available here, in this Q&A and in this factsheet and on the CER Directive here.
(For more information: Johannes Bahrke – Tel.: +32 2 295 86 15; Anitta Hipper – Tel.: +32 2 298 56 91; Marietta Grammenou – Tel.: +32 2 298 35 83; Andrea Masini – Tel.: +32 2 299 15 19)
This article incorporates information and material from various online sources. We acknowledge and appreciate the work of all original authors, publishers, and websites. While every effort has been made to appropriately credit the source material, any unintentional oversight or omission does not constitute a copyright infringement. All trademarks, logos, and images mentioned are the property of their respective owners. If you believe that any content used in this article infringes upon your copyright, please contact us immediately for review and prompt action.
This article is intended for informational and educational purposes only and does not infringe on the rights of the copyright owners. If any copyrighted material has been used without proper credit or in violation of copyright laws, it is unintentional and we will rectify it promptly upon notification. Please note that the republishing, redistribution, or reproduction of part or all of the contents in any form is prohibited without express written permission from the author and website owner. For permissions or further inquiries, please contact us.