On May 13th 2022, the European Parliament established new parameters for a high common level of cybersecurity across the Union. In a directive called NIS2; an extension of the former NIS directive; the newly agreed measures will enhance the resilience and incident response capacities of both the private and public sectors, as well as the EU as a whole.
According to the EU, NIS2 will set out the framework for both cybersecurity risk management measures and reporting obligations for all sectors in the European Union. This includes transport, finance, energy, digital infrastructure and health.
The decision to make a reform to NIS has been undertaken because the number of cyberattacks in Europe is rapidly increasing and they are becoming more sophisticated than ever. By 2024, there will be 22.3 billion devices connected to the IoT worldwide. With this increase in digital activity and connection, there will be greater risk of cybercrime. The Russian-Ukraine war has also escalated cause for concern when it comes to cyberattacks, illustrating how wars are not just fought via physical combat, but also via cyber hijacking. Hence the EU’s decision to invest in greater cybersecurity is a welcome act and it is one that will seek to enable stronger risk and incident management, as well as cooperation.
Increased levels of risk and incident management and cooperation
According to the European Parliament, ‘the newly revised directive will seek to remove divergences in cybersecurity requirements and implementation of cybersecurity measures in different member states’. This will be achieved via the establishment of minimum rules for a regulatory framework. This will set the framework for effective coaction among governmental authorities and organisations in each member state. The framework will regularly update lists of sectors and activities that are subject to cybersecurity obligations, whilst also providing both remedies and sanctions to nail down their enforcement. The directive has also formally established EU-CyCLONe (the European Cyber Crises Liaison Organisation Network). EU-CyCLONe will ensure that, should the event of a large-scale cybersecurity attack occur, member states will cooperate to ensure coordinated management.
Broadening the scope of rules
In the old NIS directive, member states within the EU were responsible for deciding which entitles would meet the criteria to be able to qualify as operators of essential services. This is set to change with NIS2 as there will be a size-cap rule. This therefore means that all medium and large sized entities within the directive sectors or provide services within the directive, will fall under its scope. A provisionally agreed text has been included in the next directive. It seeks to ensure that additional provisions create proportionality, and that a higher level of risk management will be used. This text also states that the directive will not apply to activities such as defence or national security, law enforcement or public security. Public administrations are often key targets of cyberattacks, so NIS2 will be applied to organisations that fall under this category on both a regional and central level.
Introduction of co-legislators
Under NIS2, the European Parliament and the Council have created text for sector-specific legislation. There has been a particular focus on digital operational resilience for the financial sector, known as DORA. The EU will demand that firms seek legal clarity to ensure there is coherence between NIS2 and these new acts. Member states within the EU will have 21 months to implement the changes made in NIS2 within their national laws. This will require streamlining reporting obligations in order to minimise any over-reporting.
With the first half of 2022 nearly complete, it is clear that the efforts to strengthen cybersecurity efforts and to build resilience across all member states in the EU is increasing. Firms need to be able to confidently invest in their risk and incident management strategies, as well as competently cooperate with the EU in the event of a large-scale attack. Reporting such events falls under the umbrella of compliance. RFA’s cybersecurity governance and risk assessment processes provide firms within the EU with a foundation for effective technology solutions that protect financial services businesses and facilitate compliance. It is imperative that firms keep up with the pace of change and the new requirements from NIS2, so they can protect themselves, their assets and their employees too.