The EU Parliament Adoption of the NIS2 Directive to Curb Cybersecurity Threats
The EU Parliament adopted the NIS2 (The Network and Information Security) Directive that aims at curbing the cybersecurity threat felt across the Union. Although the existing Network and Information Security (NIS) directive that came into force in 2016 is still there, it has not mitigated most of the security breaches as expected. Hence, the establishment of the NIS2 directive, which captures and addresses a broader perspective of the cybersecurity concerns in the EU. The EU Parliament adopted the NIS2 n November 10, 2022.
The new regulations direct EU nations to adhere to more substantial supervision and compliance standards and streamline their sanctions. The NIS2 order is expected to compel more organizations and industries to adopt uniform policies, toughen security regulations, and tackle supply chain security.
It will simplify disclosure requirements, enact more robust enforcement guidelines and supervisory controls, and implement consistent fines across the EU. The NIS2 directive provides new regulations to promote cybersecurity within the EU - for both businesses and nations. It tightens the cybersecurity standards for large and small businesses that trade in crucial industries and offers services in those areas.
The law, already approved in May by the Council and MEPs, will impose stricter cybersecurity standards for risk management, reporting requirements, and information exchange. Besides other measures, the rules encompass the incident management process, supply chain security, encryption, and vulnerability reporting.
More organizations and sectors will also need to take precautions for their protection. The enhanced security regulations will apply to crucial sectors like those in the energy, transportation, finance, health, and space industries, as well as to digital infrastructure and public administration. However, it doesn't cover the courts, enforcement agencies, or public and national security.
According to the lead MEP Bart Groothuis (Renew, NL). “Ransomware and other cyber threats have preyed on Europe for far too long. We need to act to make our businesses, governments and society more resilient to hostile cyber operations.” He went further to say “This European directive is going to help around 160,000 entities tighten their grip on security and make Europe a safe place to live and work. It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale,”
The new law will be directed to large and medium-sized businesses in specific industries. If approved, the legislation will provide a database of European vulnerabilities and establish a framework for improved communication and information exchange between various institutions and member states.
Parliaments and central banks are exempt from the law's application, although public administration at the national and local levels is. More organizations and industries must implement cybersecurity risk mitigation strategies, including those offering public digital communication services, operating social media platforms, producing vital goods like medical equipment, and providing postal and courier services.