New stronger rules start to apply for the cyber and physical resilience of critical entities and networks
Recent threats to the EU’s critical infrastructure have attempted to undermine our collective security. Already in 2020, the Commission had proposed a significant upgrade to the EU’s rules on the resilience of critical entities and the security of network and information systems. Today, two key directives on critical and digital infrastructure will enter into force and will strengthen the EU’s resilience against online and offline threats, from cyberattacks to crime, risks to public health or natural disasters – the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) and the Directive on the resilience of critical entities (CER Directive).
The NIS 2 Directive will ensure a safer and stronger Europe by significantly expanding the sectors and type of critical entities falling under its scope. These include providers of public electronic communications networks and services, data centre services, wastewater and waste management, manufacturing of critical products, postal and courier services and public administration entities, as well as the healthcare sector more broadly. Furthermore, it will strengthen the cybersecurity risk management requirements that companies are obliged to comply with, as well as streamline incident reporting obligations with more precise provisions on reporting, content and timeline. The NIS2 Directive replaces the rules on the security of network and information systems, the first EU-wide legislation on cybersecurity.
Against an ever more complex risk landscape, the new CER Directive replaces the European Critical Infrastructure Directive of 2008. The new rules will strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. 11 sectors will be covered: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food. Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy.
Member States have 21 months to transpose both Directives into national law. During this time, Member States shall adopt and publish the measures necessary to comply with them.
In December 2022, the Council has adopted a recommendation on a Union-wide coordination approach to strengthen the resilience of critical infrastructure where Member States are invited to accelerate preparatory work for the transposition and application of NIS 2 and of the Directive on the resilience of critical entities (CER).
More information on the NIS2 Directive is available here, in this Q&A and in this factsheet and on the CER Directive here.