European Union: Implemented Network and Information Security Directive (NIS2) including data protection authority governance

On 18 October 2024, the Network and Information Security Directive (NIS2) was implemented. The NIS2 aims to ensure a higher level of cybersecurity at the EU level by coordinating national approaches to and Governance of cybersecurity. The Member States had until 17 October 2024 to transpose the Directive into national law. Under the Directive, the Member States must adopt a national security strategy and define their strategic objectives and the regulatory measures they intend to take to achieve an adequate level of cyber security harmonisation. Each Member State is required to designate one or more competent national authorities to manage large-scale crises or incidents and supervise the application of the Directive at the national level, and establish single points of contact and Computer Security Incident Response Teams (CSIRTs), which will act as trusted intermediaries to facilitate interaction between the various entities involved and will be linked by a network of national CSIRTs. A cooperation group composed of representatives from each member state, the Commission and the European Union Agency for Cybersecurity (ENISA) is also established to conduct cyber risk assessments and issue security standards. The European Cyber Crises Liaison Organisation Network (EU - CyCLONe), consisting of representatives of each member state, the Commission and ENISA, will also be established to coordinate large-scale cybersecurity NIS2 in each member state.