The European Commission has adopted implementing rules on cybersecurity for critical entities and networks under the NIS2 Directive, establishing a high standard level of cybersecurity across the Union. This act outlines necessary cybersecurity risk management measures. It defines when companies providing digital services should report incidents as significant, such as cloud providers, data centres, online marketplaces, search engines, and social networks.
This adoption coincides with the deadline for Member States to transpose the NIS2 Directive into national law. Starting tomorrow, 18 October 2024, all Member States must implement the required measures to comply with these cybersecurity rules.
“Cybersecurity is one of the main building blocks for the protection of our citizens and our infrastructure. In today’s cybersecurity landscape, stepping up our capabilities, security requirements and rapid information sharing with up-to-date rules is of paramount importance. I urge the remaining Member States to implement these rules at national level as fast as possible to ensure that the services which are critical for our societies and economies are cyber secure,” said Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age.
What the NIS Directive is
The NIS Directive, the pioneering EU-wide law on cybersecurity, was enacted in 2016 to establish a standard security level for network and information systems across the EU. In December 2020, the European Commission took a proactive step by proposing a revision, leading to the NIS2 Directive, which must be transposed into national law by 17 October 2024.
The NIS2 Directive ensures high cybersecurity standards across sectors crucial to the economy and society, such as telecommunications, health, energy, and public administration. It strengthens security requirements for companies, enhances supply chain security, simplifies reporting obligations, and implements stricter supervisory measures and compliance requirements. The directive also aims to improve information sharing and cooperation on cyber crisis management at both national and EU levels.
The implementing regulation will be published in the Official Journal in due course and enter into force 20 days after that.