Cybersecurity Directive

The new EU-wide cyber law, Directive 2022/2555 (NIS2), entered into force on Monday, January 16, 2023. NIS2 builds on the original NIS Directive but significantly expands the categories of organizations that fall within the scope of the law, imposes new and more granular security and incident reporting rules, and creates a stricter enforcement regime. Member states now have until October 18, 2024 to transpose the new directive into their respective national laws.

The passage of NIS2 sets the stage for 2023 to be another big year for cybersecurity in Europe. We expect the global cyber threat landscape to remain challenging and the regulatory landscape to become even more complex due to a raft of new laws including the Cyber Resilience Act (which we covered here), the Critical Entities Resilience Directive (see our post here), the Digital Operational Resilience Act (DORA) (focused on financial services), and the UK’s ongoing reforms to its Network and Information Systems Regulations.

In this blog post, we summarize the key elements of NIS2 and describe what they will mean for your cybersecurity program this year.

Continue Reading New EU Cyber Law “NIS2” Enters Into Force

In the early hours of Friday, 13 May, the European Parliament and the Council of the EU reached provisional political agreement on a new framework EU cybersecurity law, known as “NIS2”. This new law, which will replace the existing NIS Directive (which was agreed around the same time as GDPR, see here) aims to strengthen EU-wide cybersecurity protection across a broader range of sectors, including the pharmaceutical sector, medical device manufacturing, and the food sector.

Continue Reading Political Agreement Reached on New EU Horizontal Cybersecurity Directive