International. The European Commission (EC) unveiled new legislation on cybersecurity and resilience to ensure a common approach and security measures across the European Union (EU).
The new Network and Information Security Directive (NIS 2.0), approved by the European Council and the European Parliament, will now be transposed into national law by the different EU member states. This new directive will update the first EU law on cybersecurity that came into force in 2016 with the aim of increasing and levelling the security of network and information systems across the EU.
"In view of unprecedented digitalization in recent years, feedback from member states and society, there was a need and request for more harmonized implementation across member states and greater public-private collaboration. These issues have been widely discussed and driven by the World Economic Forum's Cyber Resilience in Electricity and Oil and Gas communities, with proposals on global guidance and principles seeking a harmonized approach and collective action on cyber resilience," commented Filipe Beato, Leader, Center for Cyber Security, World Economic Forum.
The new directive was welcomed by the World Economic Forum's Cyber Resilience communities and is seen as a positive step towards a more collaborative and resilient cyber space, while introducing stricter enforcement and improving information sharing. Such efforts help move cybersecurity from a business cost to a commercial enabler.
The directive will formally establish the European Cyber Crisis Liaison Organisation Network, EU-CYCLONe, which will support the coordinated management of large-scale cybersecurity incidents and crises.
The text also clarifies that the directive will not apply to entities that carry out activities in areas such as defense or national security, public security and law enforcement. The judiciary, parliaments and central banks are also excluded from the scope.
NIS2 will also apply to public administrations at central and regional level. In addition, member states may decide that it also applies to such entities at local level.
Other changes introduced by the new law
In addition, the new directive has been aligned with sector-specific legislation, in particular the Regulation on Digital Operational Resilience for the Financial Sector (DORA) and the Critical Institutions Resilience Directive (CER), to provide legal clarity and ensure consistency between NIS2 and these acts.
A voluntary peer-to-peer learning mechanism will increase mutual trust and the learning of good practices and experiences in the Union, thereby contributing to achieving a high common level of cybersecurity.
The new legislation also streamlines reporting obligations to prevent over-reporting and creates an excessive burden for covered entities.
"There is no doubt that cybersecurity will remain a key challenge in the coming years. The stakes for our economies and our citizens are enormous. Today, we took another step to improve our ability to counter this threat," commented Ivan Bartoš, Czech Deputy Prime Minister for Digitalization and Minister of Regional Development.
