EU leaders and the European Parliament have reached agreement on a new directive that aims to strengthen the union’s common defences against cyber-threats.
The NIS 2 Directive was proposed by the European Commission in late 2020, and obliges more organisations to take measures aimed at reducing the risks of cyber-attacks.
It will update the existing rules on cybersecurity, which were aimed at setting a common high level of security for network and information systems across the EU.
The new directive will cover medium-sized and large entities from more sectors that are seen as critical for the EU’s economy and society – including providers of public electronic-communications services, digital services, waste water and waste management, manufacturing of critical products, postal and courier services, and public administration.
Citing the increasing security threats that arose during the COVID-19 pandemic, the commission points out that the new rules will also cover the healthcare sector – including medical-device manufacturers.
The directive also strengthens the cyber-security requirements imposed on the companies, and introduces accountability of top management for non-compliance with cyber-security obligations.
It streamlines reporting obligations, introduces more stringent supervisory measures for national authorities, and aims to harmonise sanctions regimes across EU member states.
More complex threats
Thierry Breton (Commissioner for the Internal Market, pictured) said that cyber-threats had become bolder and more complex, and that it had been “imperative” to adapt the EU’s security framework to the new realities.
"In today's cyber-security landscape, cooperation and rapid information-sharing are of paramount importance. With the agreement of NIS2, we modernise rules to secure more critical services for society and economy,” he added.
The political agreement reached by the European Parliament and the EU Council is now subject to formal approval by the two bodies.
Once published in the Official Journal, the directive will enter into force 20 days after publication. Member states will then have 21 months to transpose the new elements of the directive into national law.