NIS2

Last month, the European Commission published a draft Implementing Regulation (“IR”) under the EU’s revised Network and Information Systems Directive (“NIS2”). The draft IR applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, online marketplaces, and online social networks). It sets out further detail on (i) the specific cybersecurity risk-management measures those entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. Once finalized, it will apply from October 18, 2024.

Many companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.

The IR is open for feedback via the Commission’s Have Your Say portal until July 25.Continue Reading NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents

The new EU-wide cyber law, Directive 2022/2555 (NIS2), entered into force on Monday, January 16, 2023. NIS2 builds on the original NIS Directive but significantly expands the categories of organizations that fall within the scope of the law, imposes new and more granular security and incident reporting rules, and creates a stricter enforcement regime. Member states now have until October 18, 2024 to transpose the new directive into their respective national laws.

The passage of NIS2 sets the stage for 2023 to be another big year for cybersecurity in Europe. We expect the global cyber threat landscape to remain challenging and the regulatory landscape to become even more complex due to a raft of new laws including the Cyber Resilience Act (which we covered here), the Critical Entities Resilience Directive (see our post here), the Digital Operational Resilience Act (DORA) (focused on financial services), and the UK’s ongoing reforms to its Network and Information Systems Regulations.

In this blog post, we summarize the key elements of NIS2 and describe what they will mean for your cybersecurity program this year.Continue Reading New EU Cyber Law “NIS2” Enters Into Force