(BRUSSELS) – Two EU directives on critical and digital infrastructure entered into force Monday to strengthen EU resilience against online and offline threats from cyberattacks to crime, risks to health or natural disasters.
The Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) is set to ensure a safer and stronger Europe by significantly expanding the sectors and type of critical entities falling under its scope. These include providers of public electronic communications networks and services, data centre services, wastewater and waste management, manufacturing of critical products, postal and courier services and public administration entities, as well as the healthcare sector more broadly.
It is also expected to strengthen the cybersecurity risk management requirements that companies are obliged to comply with, as well as streamline incident reporting obligations with more precise provisions on reporting, content and timeline. The NIS2 Directive replaces the rules on the security of network and information systems, the first EU-wide legislation on cybersecurity.
Against an ever more complex risk landscape, the Directive on the resilience of critical entities (CER Directive) replaces the European Critical Infrastructure Directive of 2008. The new rules will strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. 11 sectors will be covered: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food. Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy.
EU Member States have 21 months to transpose both Directives into national law. During this time, Member States shall adopt and publish the measures necessary to comply with them.