Since safer internet day is happening in February, we decided to share with you a topic that emerged as one of the main concerns and priorities of the European Union over the last few years – the topic of cybersecurity. As a result, several Directives have been approved and debated over the years in order to ensure a safer, more connected and more digital Europe. But can you tell the differences between them? Are you aware of the most recent legal developments?
EU's first law on cybersecurity, the NIS Directive, which came into force in 2016, and was further amended in December 2020, helped achieve a common level of security of network and information systems across the Union. In addition, the EU Cybersecurity Act, in force since 2019, has provided Europe with a cybersecurity certification framework for products, services and processes and strengthened the powers conferred upon the EU Agency for Cybersecurity (ENISA).
The scope of these rules has never, however, been so broad as the scope of the NIS2 Directive (Directive 2022/2555), that came into force on 16 January 2023. This instrument repealed the NIS Directive (Directive (EU) 2016/1148) and improves cybersecurity risk management by introducing reporting obligations in specific sectors. Its main objective is to implement measures aimed at ensuring a high common level of cybersecurity throughout the Union.
The NIS 2 Directive aims to strengthen the cybersecurity requirements imposed on entities by addressing the security of supply chains and supplier relationships and introducing senior management liability in the event of failure to comply with the applicable obligations. It also promotes the extension of the scope of the rules by compelling more entities and sectors to adopt cybersecurity risk management measures, streamlining reporting obligations, introducing stricter supervisory measures for national authorities and stricter enforcement requirements, while streamlining the sanctioning regimes across Member States.
The scope of the Directive is now extended to two types of sectors: the essential entities and the important entities, i.e., medium and large enterprises operating in sectors that are critical for both the economy and the society. This includes providers of public electronic communications services, digital services, postal and courier services, public administration at national and regional level, among others. It also covers the healthcare sector more broadly, by including in its scope, for example, the medical device manufacturers, among other guidelines. The essential and important entities that fail to comply with the provisions of the Directive shall be subject to fines.
The Directive must be transposed by the Member States by 17 October 2024.
Despite the costs and challenges involved in the implementation of these measures, the fact is that the costs of cybercrime on the global economy appear to be much higher according to data shared by the European Commission. Hence the widespread consensus on the need for the effective enforcement thereof.
Based on the experience of the enforcement of previous Directives and given the urgent need to efficiently implement common cybersecurity rules across the Union, one can, therefore, and more than ever, expect the national competent authorities, the operators and the European Commission to be more cooperative with one another and to put in their best efforts to look for joint responses to the problems that may arise and as a way to achieve the defined goals.
Is your business covered by the new Directive? CCA can assist you.