The Council has adopted new legislation for a high common level of cybersecurity across the Union, to strengthen the resilience and incident response capacities of both the public and private sector and the European Union as a whole. This new directive, which is also called “NIS2”, will replace the current directive on security of network and information systems (the NIS directive).
By harmonizing cybersecurity requirements and measures in different member states, this revised directive sets out minimum rules for a regulatory framework and effective cooperation among relevant authorities in each member state.
Further, the new NIS2 directive introduces a size-cap rule for the identification of regulated entities which are subject to new directive. While under the old NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, under the size-cap all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope. Additionally, new directive includes provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for allowing national authorities to determine further entities covered. The new directive also determines that it will not apply to entities carrying out activities in areas such as defence or national security, public security, and law enforcement.
The directive will be published in the Official Journal of the European Union in the coming days and will enter into force on the twentieth day following this publication. Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.
Use this link for more information.