Home Framework European Parliament and Council agree on cybersecurity risk framework

European Parliament and Council agree on cybersecurity risk framework


The NIS2 directive aims to counter the increase in cyber threats in Europe

Prajeet Nair (@prajeetspeaks) •
May 16, 2022

The EU plans to counter the increase in cyber threats following the Russian-Ukrainian war. (Photo: Dusan_Cvetanovic, Pixabay)

the The European Parliament and the Council of the European Union, the executive branch of the EU made up of 27 members, have reached a provisional agreement to establish a “baseline for cybersecurity risk management measures and compliance obligations”. statement”.

See also: Live Webinar | Remote Employees and the Big Resignation: How Do You Handle Insider Threats?

The new directive, called NIS2, is a modernized framework based on the EU’s Network and Information Security Directive. It applies to all sectors, including energy, transport, health and digital infrastructure.

The Council of the EU told Information Security Media Group that the agreement is only “provisional”, meaning that the finalized legislative text is still subject to technical negotiations between the two co-legislators – the Council and the Parliament. This would require the formal approval of both institutions at a later stage, probably in June, according to the Council.

After final approval, entities will have a 21-month compliance window. “Once published in the Official Journal, the Directive will enter into force 20 days after its publication and [the] Member States will then have to transpose the new elements of the directive into their national law. Member states will have 21 months to transpose the directive into national law,” the European Commission said.

The Commission originally proposed the latest framework in December 2020. It will replace the current NIS Directive on the security of network and information systems. The 2016 NIS Directive called on EU members to implement measures “for a high common level of security of network and information systems” for critical sectors across the EU.

“As part of its key political objective of preparing Europe for the digital age, the Commission proposed the revision of the NIS Directive in December 2020. The European cybersecurity law in force since 2019 has provided Europe of a cybersecurity certification framework for products, services and processes and strengthened the mandate of the EU Agency for Cybersecurity (ENISA)”, says the European Commission.

The new frame

“The new framework has a broader scope to include medium-sized entities and simplified incident reporting requirements,” says the International Association of Privacy Professionals.

“The revised directive aims to eliminate the divergences in cybersecurity requirements and in the implementation of cybersecurity measures in the different Member States. To do this, it establishes minimum rules for a regulatory framework and establishes mechanisms for effective cooperation between the competent authorities of each member state. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement,” according to the EU Council.

The Directive will also establish the European Union Cyber ​​Crisis Liaison Organization Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.

The European Commission says the latest framework is being put in place to counter Europe’s increased exposure to cyber threats. The NIS2 Directive will also cover more sectors critical to the economy and society, including providers of public electronic communications services, digital services, sewage and waste management, manufacturing of critical products, postal services and messaging and public administration, at a central and regional level.

“It also covers the healthcare sector more broadly, for example by including manufacturers of medical devices, given the growing security threats that emerged during the COVID-19 pandemic. The expanded scope covered by the new rules, by effectively obliging more entities and sectors to take cybersecurity risk management measures, will contribute to increasing the level of cybersecurity in Europe in the medium and long term,” according to the European Commission.

Erfan Shadabi, cybersecurity expert at cybersecurity firm Comforte AG, told ISMG that this is a strategic decision by the European Commission as more and more industries have been recognized as “vital”. Potential cyber incidents in these industries could have a ripple effect on other industries and could disrupt the entire economy, he says.

“For businesses, this is a good reminder that they need to rethink their security posture and determine whether or not they are NIS-compliant. As ongoing incidents and these guidelines demonstrate, the unthinkable can quickly become very likely for organizations at all levels,” says Shadabi.

Expanding scope

The latest framework also strengthens cybersecurity requirements for businesses and addresses the security of supply chains and supplier relationships. The framework will hold senior management accountable for non-compliance with cybersecurity obligations.

“It streamlines reporting obligations, introduces stricter oversight measures for national authorities, as well as stricter enforcement requirements, and aims to harmonize sanctioning regimes between Member States. It will help to increase the sharing of information and cooperation in computer crisis management at national and European level”, says the Commission.

Thierry Breton, Commissioner for the EU’s Internal Market, said that as cyber threats grow in complexity, “cooperation and rapid information sharing is of paramount importance”.

“With the agreement of NIS2, we are modernizing the rules to further secure critical services for society and the economy. So this is a major step forward. We will complement this approach with the upcoming Cyber ​​Resilience Act which will ensure that Digital products will also be safer each time they are used,” he adds.

“The European Parliament and the Council have aligned the text with sectoral legislation, in the specific regulation on the digital operational resilience of the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure consistency between NIS2 and these acts,” reads a statement from the Council of the EU.

The two co-legislators also proposed a voluntary peer-learning mechanism to increase mutual trust and learn from best practices and experiences in order to achieve a common high level of cybersecurity. They aim to streamline reporting obligations in order to avoid over-reporting and creating an excessive burden for covered entities.

The impact

Greg Day, global field CISO at cybersecurity firm Cybereason, told ISMG that it’s “too early” to say what impact, if any, the NIS2 directive will have.

“As it is a directive, it is something that each country now has to convert into its own national legislation,” he says.

Day says that one of the challenges with the previous version of the directive was that international companies struggled to really understand what it meant for them, as they had to comply with the different implementation of the directive in each country. .

“What has been very positive to see lately is the recognition that as the world becomes more digital and threats continue to evolve, the required legislative controls must do the same,” he says. . But he adds that there is also the financial reality that not all agencies in all countries will have the same access to budgets and skills.