European Union: Passed Network and Information Security Directive (NIS2) to ensure a higher level of cybersecurity by European Parliament

Compare with different regulatory event:

Description

Passed Network and Information Security Directive (NIS2) to ensure a higher level of cybersecurity by European Parliament

On 10 November 2022, the European Parliament passed the Network and Information Security Directive (NIS2). The sectors regulated include energy, transport, banking and finance, health, providers of public electronic communications networks and digital services. The NIS2 specifies the incidents that would be classified as “significant” and provide further clarity regarding the classification of entities as “essential” or “important”. The entities classified as “essential” include qualified trust service providers, public electronic communications network providers or publicly available electronic communications services, and entities listed in Annexes I and II. Entities not listed as “essential” are classified as “important”. The “essential entities” will be subject to the ex-ante and ex-post regulatory regimes, and the “important entities” will be subject only to the ex-post regulatory regime. The incidents that caused or are “capable of causing severe operational disruption or financial losses” and those that affected or are “capable of affecting other natural or legal persons” will be subject to notification and reporting requirements. The NIS2 notes that the Member States will be required to ensure the covered entities implement cybersecurity risk management measures to minimise the impact of incidents. The measures include establishing preventive, detective and responsive systems, employing cryptography and encryption and running backup management and disaster recovery. Furthermore, the NIS2 changes the time frame for reporting cyber incidents. The providers will be required to notify the Computer Security Incident Response Teams and the competent authorities without delay and, in any event, within 24 hours after they become aware of a possible cyber incident that could cause a significant impact or “have a cross-border impact.” The providers will be required to notify them without delay and in any event, within a maximum of 72 hours after they become aware of the cyber incident and provide an initial impact assessment. The providers will also be required to submit a report within a month after the incident, outlining the severity of the cyber incident and its impacts and, upon request from competent authorities, an intermediate report. Finally, the NIS2 specifies that the Members States should establish penalties for non-compliance with the cybersecurity risk management measures and reporting requirements at a maximum of EUR 10 million or up to 2% of the global turnover for “essential entities”. The fines for “important entities” would be at least EUR 7 million or 1.4 % of the global turnover.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
cross-cutting
Implementation Level
supranational
Government Branch
legislature
Government Body
parliament

Complete timeline of this policy change

Hide details
2020-12-16
under deliberation

On 16 December 2020, the European Commission submitted the Proposal for a Directive of the European…

2022-05-13
under deliberation

On 13 May 2022, the European Parliament and the Council of the European Union reached a political a…

2022-11-10
under deliberation

On 10 November 2022, the European Parliament passed the Network and Information Security Directive …

2022-11-28
adopted

On 28 November 2022, the Council of European Union adopted the Network and Information Security Dir…

2023-01-16
in grace period

On 16 January 2023, the Network and Information Security Directive (NIS2) enters into force with a …

2024-10-18
in force

On 18 October 2024, the Network and Information Security Directive (NIS2) was implemented. The NIS2…