ARTICLE
4 July 2024

European Union Cybersecurity Landscape - Legal Developments

EY
Ernst & Young

Contributor

Ernst & Young
Explore
Navigating the Evolving EU Cybersecurity Landscape and Compliance Guidance: NIS and NIS 2 Directive.
European Union Technology
Photo of Manoswini Mallick
Photo of Anvita Ranjan
Photo of Anchal Jain
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Navigating the Evolving EU Cybersecurity Landscape and Compliance Guidance: NIS and NIS 2 Directive

In today's interconnected digital world, cybersecurity laws are essential safeguards against numerous cyber threats, including ransomware attacks, data breaches, and cyber espionage. The European Union is undoubtedly the forerunner when it comes to inaugurating the laws which regulate the digital space, be it data privacy, artificial intelligence, or cyber security.

This 'Round-Up' analyses the evolving EU cybersecurity landscape, highlighting key developments across jurisdictions. It offers insights into current and upcoming changes under the NIS Directives to help businesses navigate the regulatory environment. Additionally, it provides practical guidance for companies to comply with the directive's obligations, ensuring effective data protection and regulatory compliance.

NIS Directive: A Recap

The NIS Directive, formally known as the Directive on Security of Network and Information Systems, was introduced by the EU in 2016 to strengthen the cybersecurity resilience of critical infrastructure operators. This directive imposes obligations on operators of essential services (OES) and digital service providers (DSPs) to implement robust cybersecurity measures. These measures include risk management, incident reporting, and cooperation with national authorities, fostering a proactive approach to protecting vital networks and systems. The NIS Directive is a cornerstone in the EU's efforts to enhance cybersecurity readiness and resilience, laying the groundwork for future legislative initiatives.

NIS 2 Directive: An Overview

Building on this framework, the NIS 2 Directive, formally known as Directive (EU) 2022/2555, represents a pivotal advancement in the EU's cybersecurity standards. It introduces enhanced measures to address evolving cyber threats and digital vulnerabilities, establishing a high common level of cybersecurity across the EU.

The shift from the NIS Directive to the NIS 2 Directive will have several implications for EU businesses. Firstly, NIS 2 expands the regulatory scope to include a wider range of sectors, necessitating more organizations to comply with cybersecurity obligations. This may require adjustments to security practices and investments in cybersecurity measures. Secondly, NIS 2 introduces stricter requirements for risk management, incident reporting, and cooperation with national authorities. Businesses may need to enhance their cybersecurity capabilities, such as implementing robust risk assessment processes and incident response plans. Overall, the transition presents an opportunity for organizations to strengthen their resilience against cyber threats and improve their cybersecurity posture.

Overview of Transposition Status

Laws Finalized

  1. Hungary: Act XXIII of 2023, known as the Cybersecurity Certification and Cybersecurity Supervision Act ("CyberCert Act").
  2. Croatia: Croatia Cybersecurity Act, 2024 ("CCA").

Drafts Prepared

  1. Germany: Draft Law regarding the NIS 2 Implementation and Cybersecurity Strengthening Act of May 18, 2021.
  2. Poland: Amendments to the National Cybersecurity Act for Transposing the Network and Information Security Directive 2022/0383.
  3. Czech Republic: Amendment to the Act on Cyber Security from the National Cyber and Information Security Agency (NÚKIB).
  4. Belgium: Draft for the law establishing a framework for the cybersecurity of network and information systems of general interest for public security ("NIS 2 law").
  5. Austria: Network and Information System Security Act (NISG).
  6. Bulgaria: Amendments to the Cybersecurity Act, 2018.
  7. Cyprus: Amendments to the Law on Security of Networks and Information Systems of 2020 (L.89(I)/2020).
  8. Lithuania: Draft Law regarding the NIS 2 Implementation.
  9. Spain: Draft Law regarding the NIS 2 Implementation.
  10. Sweden: Draft Law regarding the NIS 2 Implementation.
  11. Slovakia: Draft law amending Act no. 69/2018 Coll. on cyber security and on the amendment of certain laws as amended.

Developments Awaited

We are awaiting developments regarding the transposition in Portugal, Slovenia, Romania, Netherlands, Malta, Luxembourg, Latvia, Ireland, Greece, Estonia, Denmark, etc. in the public domain.

NIS 2 Directive – Scope and Applicability

This section deals with several key requirements for companies as stipulated in the NIS 2 Directive.

NIS 2 introduces two categories for entities: "important" and "essential." Both must meet the same requirements, but the difference lies in supervisory measures and penalties. "Essential" entities need to comply with supervisory requirements upon NIS 2 introduction, while "important" entities are subject to ex-post supervision, with action taken upon evidence of non-compliance.

NIS 2 simplifies scoping exercises for competent authorities. Sectors are defined, and any large (headcount over 250 or revenue over EUR 50 million) or medium (headcount over 50 or revenue over EUR 10 million) enterprise in these sectors is included. However, small or micro-organizations may not be excluded; Member States can extend requirements if specific criteria indicate their societal or economic importance.

Essential and Important Entities List

NIS 2 requires the Member States to establish a list of entities which provide services that fall within the scope of NIS 2. Member States will require such entities to submit at least the following information to the competent authorities:

  1. the name of the entity;
  2. the address and up-to-date contact details, including email addresses, IP ranges and telephone numbers;
  3. the sector or sub-sector in NIS 2 scope under which they fall; and
  4. member states in which they operate.

The final list of information required will be defined as part of the transposition of the Directive into law. Additionally, Member States may establish national mechanisms for entities to register themselves.

NIS 2 Directive – Requirements for companies

This section deals with several key requirements for companies as stipulated in the NIS 2 Directive.

  1. Management Accountability: CEOs and Board of Directors are required to be aware and trained about cyber security risk management, failing which would attract hefty liabilities for the C-Level executives.
  2. Security Measures: Implementing appropriate technical and organizational measures to protect their networks and information systems from cyberattacks.
  3. Risk Management: Implementing risk management measures to identify, assess and manage the risks to their network and information systems.
  4. Incident Reporting, Information Sharing: Reporting cyberattacks to the competent authorities and sharing information about cyber threats and attacks with the authorities and other relevant entities.

Technical and Organizational Measures

To ensure that digital infrastructure and essential services remain flexible in the face of cyber threats, organizations must adhere to specific compliance requirements. The following table discusses the crucial technical, operational, and organizational measures to manage the risks posed to the security of network and information systems that essential entities have to undertake in order to be compliant.

To ensure that digital infrastructure and essential services remain flexible in the face of cyber threats, organizations must adhere to specific compliance requirements. The following table discusses the crucial technical, operational, and organizational measures to manage the risks posed to the security of network and information systems that essential entities have to undertake in order to be compliant.

Component Companies are required to
Vulnerability assessment conduct vulnerability assessments to identify known vulnerabilities in their systems.
Incident response procedures implement incident response procedures to detect, respond to, and recover from cyberattacks.
Zero-day vulnerability detection implement security measures to protect their networks and information systems from cyberattacks, including zero-day vulnerabilities.

Incident Reporting

The NIS 2 directive outlines specific requirements for incident reporting, including the timeframe for reporting, the information to be included in the report, and the channels through which reports should be submitted. Timely and accurate incident reporting is essential for facilitating effective response and mitigation efforts, as well as for enhancing overall cybersecurity resilience across critical sectors. The NIS 2 Directive enlists as a basic security element the reporting of significant incidents that: have caused, and can cause harm, as well as notifying the service recipients of cyber threats.

The following table discusses the incident reporting structure as provided by the NIS 2 directive:

NIS 2 Requirement When to Report What to Report Who to report to
A notification without undue delay any measures or remedies that those recipients can take in response to that threat; recipients of services that are potentially affected by a significant cyber threat
An early warning without undue delay and, in any event, within 24 hours of becoming aware of the significant incident indicates whether the significant incident is suspected of being caused by malicious acts CSIRT or any competent Authority
An incident notification without undue delay and, in any event, within 72 hours of becoming aware of the significant incident indicates an initial assessment of the significant incident, its severity and impact, CSIRT or any competent Authority
An intermediate report upon the request of a CSIRT or the competent authority relevant status
updates		 CSIRT or any competent Authority
A final report not later than one month after the submission of the incident notification (i) a detailed description of the incident;
(ii) the type of threat triggering the incident;
(iii) mitigation measures; and
(iv) the cross-border impact of the incident.		 CSIRT or any competent Authority
A progress report in the event of an ongoing incident (not specified) CSIRT or any competent Authority

Management Accountability

The NIS 2 directive introduces the concept of top management accountability, emphasizing the responsibility of "management bodies" to own cybersecurity risks and ensure effective governance. This aims to foster better risk management practices and governance within organizations. The directive emphasizes the importance of clear accountability, although it does not solely focus on imposing sanctions. Instead, it calls for regular training for executives to enhance their understanding of cybersecurity risks and management practices. Management bodies of essential and important entities must approve cybersecurity risk management measures, supervise their implementation, and undergo regular training to enhance their knowledge and skills in cybersecurity risk assessment and management. The directive also encourages similar training for employees on a regular basis.

Details on the Laws Finalized

1. Hungary - Act XXIII of 2023, known as the Cybersecurity Certification and Cybersecurity Supervision Act ("CyberCert Act") - Forerunner in adopting the NIS 2 Directive.

  1. The legislation, aligned with the NIS 2 Directive, delineated an extensive array of industries where companies will be bound by the updated laws.
  2. Companies are required to register themselves with the Supervisory Authority of Regulated Activities (Authority) and must implement an internal information security management system, conduct risk assessments and classify IT systems and data.
  3. A broad scope of companies will have the obligation to register with the Authority until 30 June 2024, including organisations from the energy sector (electricity, oil and gas), transport (air, rail, water and road), healthcare providers, hospitals, drinking water supply and distribution providers, digital infrastructure providers (internet exchange points and Domain Name System ("DNS") service providers), space industry businesses (satellite operations), online marketplaces, search engines, social media, postal and courier services, waste water treatment providers, chemical producers (production and distribution), food businesses (production and distribution), manufacturers (of critical products such as pharmaceuticals, electronics and vehicles) and research sites.
  4. The requirements for private companies will become applicable on October 18, 2024.

2. Croatia - Croatia Cybersecurity Act, 2024 ("CCA").

  1. The Cybersecurity Act of Croatia was finalized and entered into force on 15 February 2024. This legislation integrates provisions from the Directive on Security of Network and Information Systems (NIS 2 Directive) into the domestic law. The transposition of the Directive necessitated revisions to the entire cybersecurity legislative framework, including bylaws.
  2. The CCA applies to companies registered in Croatia that provide products and services in any EU country. Exceptions include providers of public electronic communications networks and services, who must comply with the CCA even if not registered in Croatia but offering services within the country. The CCA categorizes companies and organizations as essential and important entities, aligning with NIS 2 criteria but includes two additional requirements: local public administration bodies and educational institutions are considered important entities if deemed crucial for societal, economic, or educational activities.
  3. The CCA mandates regular cybersecurity supervision and audits for essential entities. To address the lack of such requirements for important entities, the CCA introduces a new requirement for regular self-assessment. Important entities must perform this cybersecurity self-assessment at least once every two years.
  4. The Competent Authorities will transmit a categorization notification to all relevant companies expected to implement cyber security measures, no later than February 15, 2025. At present, the requirements regarding the duties of the competent authorities have entered into force. The cybersecurity obligations upon private organisations will enter into force at a future date, for the companies which will receive a notification.

The Member States are required to transpose the NIS 2 Directive by October 17, 2024.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Manoswini Mallick
Manoswini Mallick
Photo of Anvita Ranjan
Anvita Ranjan
Photo of Anchal Jain
Anchal Jain
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More