EU Cybersecurity Directive (NIS2) was adopted by Council of the EU

Key messages

NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the Directive, such as energy, transport, health and digital infrastructure.

Key amendments

NIS2 amends the current NIS directive, which lays down requirements regarding national cybersecurity capabilities of Member States; rules for their cross-border cooperation; and requirements regarding national supervision of operators of essential services and key digital service providers.

NIS2 changes include:

• Broaden scope - additional sectors (including public administrations at central and regional level) and wider scope of entities
• Tightened security requirements for businesses, including security of supply chains and relationships between providers 
• Streamlining reporting obligations: entities need to report within 24 hours that they have been attacked
• Stricter supervisory measures for national authorities 
• Fines for failure to respect cybersecurity measures and the CEO may be held personally liable

Key impacts on boards

Two points identified as impacting boards are the following:

• To effectively manage the evolving cyber risks, Boards and senior-level management should define a cyber risk management strategy in order to adapt, evolve and improve the organisation’s cyber resilience capabilities 
• The management bodies shall approve the cybersecurity risk-management measures taken by entities in order to comply, oversee its implementation and can be held liable for infringements by the entities

Next steps

Member States will have 21 months to transpose the Directive into national law – so by autumn 2024. The legislation will be reviewed in 3 years.

Source

EU decides to strengthen cybersecurity and resilience across the Union: Council adopts new legislation – 28 November 2022

Deloitte

Nordic Board & Executive Advisory, 6 December 2022