Remember the sketch where Steve Carrell explains to a colleague, “for my password, I’ve chosen the word ‘Incorrect’? That way, when I forget my password, it’s really great, my computer actually reminds me, ‘your password is…’”
If only information security were so simple, especially when scaled up to a pan-European level. In 2024, businesses operating in the European Union face a new cyber legal framework shaped by two pivotal pieces of legislation: the NIS2 Directive and the Cyber Resilience Act (CRA). These regulations together represent a significant capacity-building exercise across the EU. They entail a significant collective investment in the EU’s response to escalating cyber threats and our increasing reliance on digital technologies. The UK plans a much more limited upgrade to NIS1, with an uncertain timetable for next steps given a looming general election.
NIS2 Directive: A new paradigm in cybersecurity
The NIS2 Directive will repeal and modernise the existing NIS Directive, expanding the scope of cybersecurity obligations across various sectors within the EU. It aims to establish a higher level of cybersecurity and resilience within organisations, and it will have a more profound impact on how businesses manage their digital infrastructure than NIS1.
One of the critical features of NIS2 is its broadened scope, meaning that it will encompass more industry sectors and a broader range of technology providers. Specifically the Directive distinguishes between “essential” entities (examples include energy, banking and digital infrastructure) and “important” entities (examples include manufacturing and digital providers) that provide services in the EU. Both categories of entity are subject to obligations to ensure certain cybersecurity standards and meet reporting requirements, but the (extensive) supervisory measures and GDPR-level penalties that can be applied differ depending on which category an operator falls into. Large and medium-sized enterprises fall directly under NIS2’s scope, although small and micro-organisations are still not exempt if they fulfil specific criteria.
The Directive requires the establishment by competent EU authorities of a list of regulated entities by a deadline of April 17 2025. This registration process involves entities providing extensive information, including the sector under which the entity falls, contact details, and a list of their assigned IP addresses. The aim is to ensure EU member states can effectively identify and supervise the entities that fall within the scope of NIS2.
The reporting requirements for cybersecurity incidents under NIS2 have been extended. In addition to more granular reporting deadlines and more detailed reporting, regulated entities must now notify recipients of their services where the incident in question is likely to adversely affect the provision of those services.
An important feature of NIS2 is the focus on supply chain security. Organisations will now be legally required to address cybersecurity risks in their supply chains. This means that parties not subject to NIS2 because they do not meet the threshold requirements may now find themselves indirectly caught because they are suppliers in the supply chain of a regulated entity.
NIS2 also places greater emphasis on the accountability of management. This will require a more proactive approach from the leadership of an organisation, starting with conducting risk assessments and implementing risk mitigation plans, accompanied by mandatory training for management and employees. Personal liability also arises where the steps taken by an entity to implement enforcement measures ordered by a competent authority are deemed ineffective In certain circumstances, CEOs and senior legal representatives may temporarily be suspended from managerial functions.
Cyber Resilience Act: Securing the digital product lifecycle
Complementing the NIS2 Directive, the CRA focuses on the security of digital products, including hardware and software, placed on the EU market. The CRA aims to ensure that such products meet specific cybersecurity standards before being marketed, thereby better-protecting consumers and businesses from cyber threats.
The CRA applies to all products connected to a network, directly or indirectly. It introduces EU-wide cybersecurity requirements for these products’ design, development, production, and market availability. Manufacturers must conduct mandatory security assessments, implement vulnerability-handling procedures, and provide necessary information to users. Products designated as critical are subject to more stringent obligations.
This article is part of our Data Protection Top 10 2024 publication.
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2024-06-25-15-50-03-267-667ae72bad6181e3064979a5.jpg)
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/62c5847ff636e9141c9c8775/2024-01-18-13-45-18-905-65a92b6e673a4919d39b6f48.png)
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2024-05-24-13-29-24-541-665096345a19b4b3d4fd2ace.jpg)