New stronger rules start to apply for the cyber and physical resilience of critical entities and networks
Two key directives on critical and digital infrastructure have just entered into force and will strengthen the EU's resilience against online and offline threats, from cyberattacks to crime, risks to public health or natural disasters.
Recent threats to the EU's critical infrastructure have attempted to undermine our collective security. Already in 2020, the Commission had proposed a significant upgrade to the EU's rules on the resilience of critical entities and the security of network and information systems.
The 2 Directives entering into force are:
- Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive);
- Directive on the resilience of critical entities (CER Directive).
The NIS 2 Directive will ensure a safer and stronger Europe by significantly expanding the sectors and type of critical entities falling under its scope. These include providers of public electronic communications networks and services, data centre services, wastewater and waste management, manufacturing of critical products, postal and courier services and public administration entities, as well as the healthcare sector more broadly. Furthermore, it will strengthen the cybersecurity risk management requirements that companies are obliged to comply with, as well as streamline incident reporting obligations with more precise provisions on reporting, content and timeline. The NIS2 Directive replaces the rules on the security of network and information systems, the first EU-wide legislation on cybersecurity.
Against an ever more complex risk landscape, the new CER Directive replaces the European Critical Infrastructure Directive of 2008. The new rules will strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. 11 sectors will be covered: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food. Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy.
Member States have 21 months to transpose both Directives into national law.
Abstract from : https://digital-strategy.ec.europa.eu/fr/news/new-stronger-rules-start-a...
Documentation
- Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
in Official Journal of the European Union 27.12.2022 L 333 - Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC
in Official Journal of the European Union 27.12.2022 L 333 - Critical Infrastructure: Commission accelerates work to build up European resilience
- https://ec.europa.eu/commission/presscorner/detail/en/ip_22_6238