Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
The NIS 2 Directive[1] (Directive 2022/2555) on measures for a high common level of cyber security across the EU has now entered into force.[2]
Member states must now incorporate the provisions into their national law by October 2024.
NIS 2 will replace its predecessor – NIS (Directive 2016/1148), which was the first cross-sector cyber security law in the EU.
NIS 2 has been necessary because the speed at which network and information systems have developed into a central feature of everyday life has led to greater interconnectedness, including in cross-border exchanges and, with this, has come an expansion of the cyber threat landscape. The number, magnitude, sophistication, frequency and impact of incidents are increasing, and can impede the pursuit of economic activities in the internal market, generating financial loss, undermining user confidence and causing major damage to the Union’s economy and society. Cyber security preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market; “adapted, coordinated and innovative responses” are required in all member states, says the EU. NIS was not implemented consistently across member states with, for example, some services being categorised as “essential” in some countries but not in others.
Moreover, the EU considers change is necessary for growth. Cyber security is a key enabler for many critical sectors to successfully embrace digital transformation and to fully grasp the economic, social and sustainable benefits of digitalisation.
The UK has confirmed that it will update the Security of Network & Information Systems Regulations 2018 (NIS Regulations) as they apply to the UK, following the EU’s adoption of NIS 2. The UK has a leadership role in cyber security across the world. It is ranked second in the ITU Global Cyber Security Index[3], in part due to the work of the National Cyber Security Centre, which has been lauded globally for responding to incidents quickly and putting previously classified information into the hands of industry so that companies can defend themselves more effectively. Countries like Canada and Australian have chosen to follow suit and adopt the NCSC model.
To harmonise cyber security requirements and implementation of cyber security measures in different member states the revised directive sets out minimum rules for a regulatory framework and lays down mechanisms for effective co-operation among relevant authorities in each member state. It updates the list of sectors and activities subject to cyber security obligations and provides for remedies and sanctions to ensure enforcement.
The new directive has been aligned with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER) to provide legal clarity and ensure coherence between NIS 2 and these.
NIS 2 will apply to public administrations at central and regional level. However, the text clarifies that the directive will not apply to entities carrying out activities such as defence, national security, public security and law enforcement, nor will it apply to the judiciary, parliament and central banks.
Key changes between NIS and NIS 2 are as follows:
Directors and senior managers within businesses caught by NIS 2 should start preparing to meet the new requirements now. They will be expected to have a comprehensive suite of systems and controls in place to protect their operations. They won’t be able to reduce risk to zero but should be prepared to explain why decisions as to what to prioritise were made. It will also be important to ensure that they have full crisis response plans in place, know where to find them and practise them. Front loading some of the analysis helps reduce both the decision-making processing during any crisis and liability.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2023 Law Business Research
Building Cyber Security Resilience: NIS 2 enters into force – Lexology
