The NIS 2 Directive

Full name: The full name is “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)”.

Deadlines: By 17 October 2024, Member States shall adopt and publish the measures necessary to comply with the NIS 2 Directive.

They shall apply those measures from 18 October 2024.

Directive (EU) 2016/1148 (NIS Directive) is repealed with effect from 18 October 2024.

By 17 July 2024 and every 18 months thereafter, EU-CyCLONe shall submit to the European Parliament and the Council an evaluation report on its work.

By 17 October 2024, the Commission shall adopt implementing acts specifying the technical and methodological requirements of the measures in respect of DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines and social networking service platforms and trust service providers.

On 17 January 2025, the Cooperation Group shall establish, with the assistance of the Commission and ENISA and, where appropriate, the CSIRTs Network, the methodology and organisational aspects of peer reviews with a view to drawing lessons from shared experience, strengthening mutual trust, achieving a high common level of cybersecurity, and improving the cybersecurity capabilities and policies of the Member States necessary for the implementation of this Directive. Participation in peer reviews shall be voluntary. Peer reviews shall be carried out by cybersecurity experts. The cybersecurity experts shall be designated by at least two Member States other than the Member State being reviewed.

By 17 April 2025, Member States shall draw up a list of key and important entities, as well as entities providing domain name registration services. Member States shall review and, where appropriate, update that list regularly and at least every two years thereafter.

By 17 April 2025 and every two years thereafter, the competent authorities shall notify the Commission and the Cooperation Group of the number of key and important entities for each sector.

By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive and report to the European Parliament and the Council.

Important obligations: According to Article 20 (Governance), the management bodies of key and important entities must approve the cybersecurity risk management measures taken by those entities, monitor their implementation and “may be held liable for breaches”.

According to Article 20, Member States shall ensure that “members of the management bodies of key and important entities are required to undergo training” and shall encourage key and important entities to offer such training to their employees on a regular basis in order to acquire sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk management practices and their impact on the services provided by the entity.

According to Article 21 (Cybersecurity risk management measures), essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks related to the security of the network and information systems that those entities use for their operations or for the provision of their services and to prevent or minimise the impact of incidents on the recipients of their services and on other services.

Taking into account the “state of the art” and, where applicable, relevant European and international standards, as well as the costs of implementation, those measures shall ensure a level of security of the network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of exposure of the entity to the risks, the size of the entity and the likelihood of incidents occurring and their severity, including their societal and economic impact.

The measures are based on an “all-hazards approach” that aims to protect network and information systems and the physical environment of these systems from incidents and include “at least” the following:

a) risk analysis and information system security policies;

b) incident handling;

c) business continuity, such as backup and disaster recovery management and crisis management;

d) supply chain security, including security aspects relating to the relationship between each entity and its direct suppliers; or

e) security

in the acquisition, development and maintenance of network and information systems, including the handling and disclosure of vulnerabilities;

(f) policies and procedures for assessing the effectiveness of cybersecurity risk management measures;

(g) basic cyber hygiene practices and cybersecurity training;

(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i) human resources security, access control policies and asset management;

(j) the use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and secure emergency communication systems within the entity, where appropriate.

Important note for non-EU entities: In accordance with Article 26 (Jurisdiction and territoriality), if an entity is not established in the EU but offers services within the EU, it shall designate a representative in the EU. The representative shall be established in one of the Member States in which the services are offered. Such an entity shall be deemed to fall under the jurisdiction of the Member State in which the representative is established. In the absence of a representative, any Member State in which the entity provides services may take legal action against the entity for infringement of this Directive.

Source: https://cypro.bg/