EU Council directive strengthens cybersecurity measures 

November 30, 2022

New standardised ‘high level’ cybersecurity rules are being proposed for the EU by the European Council, which will bring more firms under this regulatory reach.  

Called NIS2, this new directive will replace the current rules and create a baseline for cybersecurity risk management measures and reporting obligations.  

The new regulation will cover the same sectors as the current directive, including the energy, transport, health, and digital infrastructure industries.  

To widen the scope of rules, a size cap has been introduced. As a result, all medium and large-sized companies operating within the covered sectors will be affected. 

The widened scope means most companies within the public and private sectors as well as the EU as a whole will be covered. 

However, companies within the defence or national security, public security, law enforcement sector, judiciary, parliament, and central banks have been excluded.  

Ivan Bartoš, Czech deputy prime minister for digitalisation and minister of regional development, said: “There is no doubt that cybersecurity will remain a key challenge for the years to come. The stakes for our economies and our citizens are enormous. Today, we took another step to improve our capacity to counter this threat.” 

The legislation has also established mechanisms for successful cooperation and updated remedies and sanctions to allow effective enforcement.   

Reporting obligations have been streamlined to avoid over-reporting and creating an excessive burden for the entities.  

Additionally, the directive will establish the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), which will support the coordinated management of large-scale cybersecurity incidents and crises.  

Following the introduction of NIS2, member states within the EU will have 21 months to enforce the directive into national law. 

NIS2 has been approved by the European Parliament, which recently approved the Digital Operational Resilience Act (DORA).  

This regulation is designed to mitigate ICT risks across the EU by harmonising existed rules around this.  

Specific implications for European financial services firms and their ICT providers have been integrated in this.  

Regulated entities have 24 months to implement DORA.