Europe has moved closer to new cybersecurity standards and new reporting rules following a provisional agreement on networks and information systems dubbed NIS2 by the European Council and Parliament.
Once approved, NIS2 [PDF] will replace the current Directive on the Security of Networks and Information Systems, aka NIS, which was adopted in 2016. The new directive sets stricter requirements – and possible penalties, including fines – for a greater number of sectors that must comply with computer security rules.
It also aims to eliminate “major discrepancies” between EU member states’ risk management and security reporting rules by establishing uniform criteria for assessing, reporting and taking action to reduce cyber risk.
While the rules of origin applied to the sectors of health, digital infrastructure and services, transport, water supply, banking and financial infrastructure and energy, NIS2 expands the list of industries covered.
The updated security regulations will apply to all medium and large entities in the following sectors and services: providers of electronic communications networks or utilities, wastewater and waste management, manufacture of certain critical products (such as such as pharmaceuticals, medical devices and chemicals), food, digital services such as social networking service platforms and data center services, space, postal and courier services.
NIS2 will also apply to public administration entities at central and regional level, while Member States have the power to decide that the directive will also apply at local level.
Some key industries are excluded from regulation. These include defense and national security agencies, public safety, law enforcement and the judiciary. Parliaments and central banks are also exempt.
The basic practices included in NIS2 cover basic computer hygiene, cybersecurity training, use of cryptography, human resources security, access control policies and asset management, as well as incident response and crisis management, vulnerability management and disclosure, and policies and procedures for evaluating the effectiveness of cybersecurity risk management measures, according to a European Commission fact sheet.
NIS2 is also setting up a European network of cyber crisis liaison organisations, dubbed EU-CyCLONe, to help manage large-scale online attacks across Europe, as well as to coordinate vulnerability disclosure and increase the information sharing and cooperation between government and private sector organizations.
Meanwhile, companies that fail to comply with the new risk management and reporting rules face fines of up to €10 million or 2% of their global annual turnover, whichever is greater. higher.
Once adopted by the Council and the European Parliament, Member States will have 21 months to incorporate NIS2 into their national legislation.
EU commissioners, for their part, welcomed the deal.
“In today’s cybersecurity landscape, cooperation and the rapid sharing of information are of paramount importance,” Thierry Breton, Commissioner for the Internal Market, said in a statement. “With the agreement of NIS2, we are modernizing the rules to further secure critical services for society and the economy. So this is a major step forward.” ®