European Union: Entry into force with grace period of Network and Information Security Directive (NIS2) including data protection authority governance

On 16 January 2023, the Network and Information Security Directive (NIS2) enters into force with grace period. The member states are required to transpose and apply the requirements from 18 October 2024. The NIS2 aims to ensure a higher level of cybersecurity at the EU level by coordinating national approaches to and governance of cybersecurity. It requires each member state to adopt a national security strategy and to define its strategic objectives and the regulatory measures it intends to take to achieve an adequate level of harmonisation of the companies falling within its scope. Each member state will be required to designate one or more competent national authorities to manage large-scale crises or incidents and supervise the application of the directive at the national level, and establish single points of contact and Computer Security Incident Response Teams (CSIRTs), which will act as trusted intermediaries to facilitate interaction between the various entities involved and will be linked by a network of national CSIRTs. A cooperation group composed of representatives from each member state, the Commission and the European Union Agency for Cybersecurity (ENISA) is also established to conduct cyber risk assessments and issue security standards. The European Cyber Crises Liaison Organisation Network (EU - CyCLONe), consisting of representatives of each member state, the Commission and ENISA, will also be established to coordinate large-scale cybersecurity NIS2 in each member state.