European Union: Introduced Network and Information Security Directive (NIS2) including cybersecurity requirements

On 16 December 2020, the European Commission submitted the Proposal for a Directive of the European Parliament and the Council on measures for a high common level of cybersecurity in the Union, repealing EU Directive 2016/1148 (NIS1). The Proposal aims to harmonise the cybersecurity standards across European Union, specify the essential or important entities subject to the requirements and outline the exemptions for micro and small companies. The sectors regulated include energy, transport, banking and finance, health and digital services. The Proposal would require Member States to adopt a national security strategy to define their strategic objectives and the regulatory measures they intend to implement to achieve an adequate level of harmonisation of cybersecurity requirements. The Proposal notes that the Member States will be required to ensure the covered entities implement cybersecurity risk management measures, including establishing preventive, detective and responsive systems and employing cryptography and encryption. Furthermore, the Proposal also stipulates the obligation of providers to notify the Computer Security Incident Response Teams and the competent authorities, without delay incidents that cause “substantial operational disruptions” and, in any event, within 24 hours after the incident was detected. The providers will also be required to submit a report within a month after the incident, outlining the severity of the cyber incident and its impacts. Finally, the Proposal specifies that the Members States should establish penalties for non-compliance with the cybersecurity risk management measures and reporting requirements at a maximum of EUR 10 million or up to 2% of the global turnover of the entity.