The NIS2 Directive will cover a wider range of critical sectors and strengthen the cybersecurity requirements imposed on companies.
EU lawmakers have agreed to bring in tougher cybersecurity rules in response to increased digitisation and the rise of malicious cyber activity globally.
The new measures, first proposed by the European Commission at the end of 2020, look to boost the cyber resilience of entities across range of sectors deemed critical for the economy and society.
These include the healthcare sector and medical devices, energy grids, digital services, waste management, critical product manufacturing and public administration.
The new regulations expand the scope of the existing Network and Information Security (NIS) Directive, which paved the way for a “significant” change in the institutional and regulatory approach to cybersecurity in many EU countries, according to the European Commission.
The NIS2 Directive now aims to increase the cybersecurity requirements imposed on companies with new standards and reporting rules.
It includes top management accountability for any non-compliance with the cybersecurity obligations, as well as measures to protect supply chains and supplier relationships.
Last year, the European Commission proposed a new Joint Cyber Unit to strengthen cooperation between EU bodies and national authorities responsible for preventing, deterring and responding to cyberattacks. The proposal came weeks after the ransomware attack on the HSE and several high-profile attacks in the US.
One of its key responsibilities would be delivering the EU cybersecurity incident and crisis response plan, based on national plans proposed in NIS2.
EU commissioner for competition Margrethe Vestager said a number of “building blocks” for digital transformation have been put in place in recent months, such as the Digital Markets Act and the Digital Services Act.
“This is another important breakthrough of our European digital strategy, this time to ensure that citizens and businesses are protected and trust essential services,” Vestager said.
The NIS2 Directive is now subject to formal approval after an agreement was reached last Friday (13 May) between the European Parliament and EU member states.
Speaking of the EU proposals, Trevor Dearing, EMEA director of critical infrastructure at cybersecurity company Illumio, noted the benefits of making senior management more responsible for cybersecurity efforts.
“Placing culpability on each individual organisation should encourage stricter adherence to the regulations because of the consequent fines and reputational damage for neglecting to do so,” Dearing said.
This view was shared by Safe Security CEO Saket Modi, who said management teams and security teams will need to acknowledge that cybersecurity “is now a business discussion, not just a technical discussion”.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.