The European Commission has adopted the first implementing rules on cybersecurity of critical entities and networks under the Directive on measures for a high common level of cybersecurity across the EU (NIS2 Directive). This implementing act details cybersecurity risk management measures as well as the cases in which an incident should be considered significant and companies providing digital infrastructures and services should report it to national authorities.
The EC said that this is another major step in boosting the cyber resilience of Europe's critical digital infrastructure. The implementing regulation will apply to specific categories of companies providing digital services, such as cloud computing service providers, data center service providers, online marketplaces, online search engines, and social networking platforms, to name a few. For each category of service providers, the implementing act also specifies when an incident is considered significant.
The adoption of the regulation coincides with the deadline for Member States to transpose the NIS2 Directive into national law. As of today, all Member States must apply the measures necessary to comply with the NIS2 cybersecurity rules, including supervisory and enforcement measures. The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 and helped to achieve a common level of security of network and information systems across the EU. As part of its key policy objective to make Europe fit for the digital age, the Commission proposed the revision of the NIS Directive in December 2020. After entering into force in January 2023, Member States had to transpose the NIS2 Directive into national law by 17 October 2024.
The NIS2 Directive aims to ensure a high level of cybersecurity across the Union. It covers entities operating in sectors that are critical for the economy and society, including providers of public electronic communications services, ICT service management, digital services, wastewater and waste management, space, health, energy, transport, manufacturing of critical products, postal and courier services and public administration. The Directive strengthens security requirements imposed on the companies and addresses the security of supply chains and supplier relationships. It streamlines reporting obligations, introduces more stringent supervisory measures for national authorities, as well as stricter enforcement requirements, and aims at harmonizing sanctions regimes across Member States.
The European Commission has adopted the first implementing rules on cybersecurity of critical entities and networks under the Directive on measures for a high common level of cybersecurity across the EU (NIS2 Directive).
The industry association GSMA decided to postpone its upcoming MWC Kigali 2024 event.
More excellent research, impactful innovation, and technology scale-ups are needed to make Europe more globally competitive, secure, and sustainable.
