top of page

EU implements new directive to boost cybersecurity

29/11/2024

The European Union has taken another major step to boost the cyber resilience of Europe's critical digital infrastructure with the implementation of the NIS2 Directive on cybersecurity.


The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive which modernised the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat.


By expanding the scope of the cybersecurity rules to new sectors and entities, it is designed to improve the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.


The Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:

  • Member States' preparedness, by requiring them to be appropriately equipped. For example, with a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority,

  • cooperation among all the Member States, by setting up a Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States.

  • a culture of security across sectors vital for the economy and society and that rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.

Businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents.

Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.


The Directive covers entities operating in sectors that are critical for the EU economy and society, including providers of public electronic communications services, ICT service management, digital services, wastewater and waste management, space, health, energy, transport, manufacturing of critical products, postal and courier services and public administration.


The Directive strengthens security requirements imposed on the companies and addresses the security of supply chains and supplier relationships. It streamlines reporting obligations, introduces more stringent supervisory measures for national authorities, as well as stricter enforcement requirements, and aims at harmonising sanctions regimes across Member States.


It is also aimed at increasing information sharing and cooperation on cyber crisis management at a national and EU level.


For many digital providers, NIS2’s new enhanced cybersecurity obligations, incident reporting requirements, audit and oversight measures, and enforcement powers will represent a marked shift in how these sectors approach cybersecurity compliance in Europe.


The designation of  ‘digital provider’ includes digital infrastructure providers: digital service providers: managed service providers and managed security service providers.


The enhanced enforcement powers, underpinned by fining powers of up to €10m or 2% of worldwide turnover and in some cases sanctions against management and the C-suite, make NIS2 a key regulatory challenge heading into 2025.


Given their key role in the European economy, nearly all digital sectors are categorised under NIS2 as ‘essential’ with the notable exception of digital service providers, which are regarded as ‘important’.


One of the crucial aspects of NIS2 is the emphasis on breach reporting, which requires affected entities to promptly report any cybersecurity incidents to the relevant authority without undue delay and no later than 24 hours after detection of the incident, with more detailed reporting at additional intervals. Incident thresholds for core network-based digital infrastructure providers differ markedly across DNS providers, TLD name registries and cloud providers.


These enhanced reporting criteria are in addition to those that apply to the broader category of digital providers. The Directive additionally mandates digital providers to undertake cybersecurity risk-management measures.


W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small, including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more. If you wish to discuss your insurance requirements, please visit www.wdenis.eu or contact:


Eastern Europe

Vida.Jarasiunaite@wdenis.eu


Southern Europe

Christos.Hadjisotiris@wdenis.com


Western Europe &/or elsewhere worldwide

Mark.Dutton@wdenis.com

bottom of page