On November 10, 2022, the European Parliament adopted a new cybersecurity directive (the “NIS2 Directive”), which is designed to replace and repeal the existing EU Directive on the Security of Network and Information Systems (Directive 2016/1148/EC) (the “NIS Directive”). The objective of the NIS2 Directive is to achieve a higher level of cybersecurity within the EU than has been the case under the NIS Directive. It is also designed to promote greater harmonization of cybersecurity rules across EU Member States.
The NIS2 Directive will require EU Member States to implement new and more stringent cybersecurity rules. In particular, EU Member States must ensure that in-scope entities take appropriate cybersecurity measures in connection with a detailed list of specified matters, such as incident handling, business continuity, supply chain security, encryption, access control, the use of multi-factor authentication, and vulnerability handling and disclosure.
In-scope entities will also be subject to updated incident notification requirements, including an EU-wide obligation to submit an “early warning” within 24 hours of becoming aware of a significant incident, followed by an incident notification within 72 hours of that awareness.
The NIS2 Directive will also expand the range of entities and sectors that are covered by cybersecurity rules, in comparison to those covered under the current NIS Directive (i.e., energy, transport, banking, financial market infrastructures, health sector, drinking water, digital infrastructure, online marketplaces, online search engines, and cloud computing services). NIS2 will also cover, for example:
- providers of social networking platforms;
- additional digital infrastructure service providers (such as providers of public electronic communications networks and services);
- ICT service management providers;
- public administration entities;
- postal and courier services;
- entities involved in the production, processing, and distribution of food;
- certain manufacturers (e.g., of medical devices);
- pharmaceutical companies; and
- research organizations.
Further, the NIS2 Directive will establish a framework for better cyber cooperation and information sharing between different EU Member States, and create a European vulnerability database.
The adopted text can be read here. The Council of the European Union must formally adopt the law before it will be published in the EU’s Official Journal.