NIS2: How Will Unified Cybersecurity Measures Impact the EU?
The European Union is enacting comprehensive new laws to ensure that higher levels of cybersecurity will be in place across Europe.
The new EU Network and Information Security Directive (NIS2) published by the European Commission in December 2020 will strengthen the capabilities of the 27 member states of the EU within the cybersecurity domain.
The European Council and the European Parliament reached a provisional agreement on May 13 2022 on the main provisions of NIS2. For entities that will come within the scope of NIS2, these new rules are designed to:
- Address the security of supply chains.
- Improve reporting obligations for cybersecurity breaches.
- Deliver higher supervisory and enforcement obligations covering cybersecurity.
It is anticipated that the European Parliament will approve the final agreed texts of NIS2 in September or October 2022. The provisions of NIS2 also require the approval of EU Telecom Ministers, and EU member states will have 21 months to transpose NIS2 into national laws after final EU institutional agreement is secured.
In reality, this means that NIS2 should become law within the European Union circa Q4 2024.
Scope of NIS2
An entity that employs more than 250 people and falls under the scope of NIS2 will have to assess the risk that a supplier poses to the supply chain
NIS2 applies to a broad range of sectors, including energy, health, financial services, digital infrastructure, manufacturing, digital providers, and public administration.
As this new NIS2 Directive will be transposed into national laws, EU governments will draw up a more precise list of the type of entities where NIS2 will apply. For example, federal and regional public administrations will come within the scope of NIS2.
The European Commission, the European Council, and the European Parliament aim to ensure that the practical implementation of NIS2 in the EU’s 27 member states will be unified.
Businesses want certainty when implementing NIS2
The rigorous enactment of NIS2 across the European Union, of course, is a very important exercise.
This is because NIS2 has a very wide applicability. Therefore, businesses who both supply and purchase goods and services want to clearly understand in both a practical and legal manner how NIS2 will operate in Europe. Providing businesses with this legal certainty must be a central component in the legislative rollout of NIS2. Moreover, common, technical, transparent and non-discriminatory criteria should be the guiding set of principles that will underpin the transposition of NIS2 into law in Europe.
It is open to member states to apply NIS2 to some small and medium enterprises (SMEs) if a government or national parliament decide it necessary to do so. But this is the exception as opposed to the rule. SMEs, in general, are excluded from the provisions of NIS2.
Protection of the EU internal market is crucial
Building a strong internal market where there is free movement of goods, people, services and capital is a key political priority for the European Union.
In the context of protecting the integrity of the internal market, it is vital that there is a uniform enactment of NIS2 within the 27 member states of the EU, as many companies sell products and provide services in multiple jurisdictions in Europe. From a legal perspective, entities will be deemed to be under the jurisdiction of the member state in which they are established, subject to some exceptions. For example, it is anticipated that the European Parliament and EU governments may support a proposal whereby providers of electronic communications services will be subject to the legal jurisdiction of the country where the services are actually provided.
Stronger governance structures for NIS2
NIS2 will set up the new European Cyber Crises Organization Network (CyCLONe) consisting of representatives from the EU’s 27 member states to coordinate the management of large-scale cybersecurity incidents in Europe.
Companies found to be in breach of NIS2 can be fined up to a level of 2% of their global revenues, which will also inevitably bring reputational damage.
Each country in the EU must set up one national contact point that will implement, supervise, and enforce NIS2. Entities will have 72 hours to formally notify their national contact point of the nature and the impact of a cybersecurity incident. An early warning system of 24 hours is also part of NIS2, where a company can inform the appropriate authorities if the cybersecurity breach is malicious or not.
- Cybersecurity & Better Regulation [article]
- How You Can Safeguard Your Data Against Ransomware [article]
- Cybersecurity: Safeguarding the Digital Transformation of Enterprises [Huawei solutions & technologies]
Disclaimer: Any views and/or opinions expressed in this post by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Huawei Technologies.