X Logo PNGs for Free Download

Linkedin Logo PNG, Linkedin Logo Transparent Background - FreeIconsPNG

Click to select an image from the multimedia database

Environment
Digital Construction
Safety
Industry and Market
Our Sector in Figures

NIS2 Directive: the Council adopted new legislation for a high common level of cybersecurity across the Union

On 28th November 2022, the NIS2 Directive on measures for a high common level of cybersecurity across the Union has been adopted by co-legislators. Hence, the Council approved the European Parliament’s position adopted at first reading in Plenary on 10th November.

shutterstock_294772805

The new legislation, which corresponds to the provisional agreement reached between the EP and the Council in May, will replace the current directive on security of network and information systems (the NIS directive) setting tighter cybersecurity obligations for risk management, reporting obligations and information sharing. It aims to introduce baseline cybersecurity risk management measures and reporting obligations across sectors covered by the Directive. Moreover, NIS2 will also formally establish the European Cyber Crises Liaison Organisation Network (EU-CyCLONe) which plans to support the coordinated management of large-scale cybersecurity incidents and crises.The requirements cover incident response, supply chain security, encryption and vulnerability disclosure.

Key points

  • All public as well as private medium-sized and large entities providing their services or carrying out their activities within the Union are in scope.
  • The manufacture of machinery and equipment n.e.c. sector is included in Annex II (list of other critical sectors) and entities are classified as important.
  • The distinction between essential and important entities depends on size-cap rule & criticality criteria.
  • Obligation on essential and important entities to notify any changes without delay (by two weeks from the date of the change).
  • Cybersecurity risk management obligations are based on all-hazards approach.
  • Obligation on essential and important entities to notify any significant incidents to CSIRT or competent authority without undue delay (within 24h, 72h, and no later than 1 month).
  • Essential and important entities are subject to administrative fines for infringements of cybersecurity risk-management measures or reporting obligations.
  • The transposition period is equal to 21 months since the entry into force of the directive.

Next Steps

The legislative procedure is now completed. As such, the directive will be published in the Official Journal of the EU in the coming days and will enter into force on the twentieth day following this publication.

Member States will have 21 months from the entry into force of the directive to incorporate the provisions into their national law.

Please find here the legislative text as adopted by the Council.

More news