by Domenico Orlando
- Data Protection Law Consultant
by Javier López-Guzmán
- Data Protection Consultant
The world of cybersecurity is constantly changing. In recent years, many new rules and regulations have come into force. The European Union takes another step forward with the NIS 2 Directive. Let’s have a closer look at the impact of this new Directive.
A lot of time and effort went into the new NIS 2 Directive on the security of information and network systems, with negotiations taking over two years. The new Directive aims to tackle some of the shortcomings of the first NIS Directive, which came into force six years ago, to enhance cybersecurity throughout the EU. As with the previous Directive, several industries will be impacted in terms of new compliance requirements.
Since ICT is becoming ever more present in industry and society, the NIS 2 Directive has a much wider scope compared to its predecessor. Among the new mandatory sectors are digital infrastructures such as cloud computers, data centers, and trust service providers in the scope of digital identity, to give just a few examples. Moreover, ICT service providers and space industry will also be subject to the NIS 2 Directive.
From now on, public administrations, both at the national and regional levels, will be subject to cybersecurity legislation. For some sectors, including digital providers (e.g. search engines and social platforms) and research organizations, EU member states can choose whether or not to apply the new Directive. This approach allows greater differentiation, perhaps at the expense of harmonization.
Risks and incentives
The Directive provides a scheme for compliance. Entities that fail to implement measures to comply with NIS 2 risk temporary suspensions and bans, as well as new steeper fines.
There are also positive incentives to comply. Entities that start earlier on the compliance path will avoid problems when the Directive comes into force. They will also be seen as reliable by users and potential clients.
Cybersecurity breach notification
One of the most important new elements is the introduction of anew notification system for cybersecurity incidents. Entities will be obligated to notify public authorities of significant incidents or breaches, and potentially also the recipients of the threat. The notice period is 24 hours for the early warning, and 72 hours for the incident notification. This is a breaking change compared to the previous legal framework, which was vaguer and only mandated notification without “undue delay.”
Cybersecurity entities will also be subject to new mandatory measures. The NIS 2 Directive expands their obligations in terms of incident handling, business continuity, basic computer hygiene practices, and cybersecurity training.
Roadmap for implementation
Implementation is down to national laws and authorities and will be developed over the next 21 months. In Belgium, the national cybersecurity authority, CSIRT, will likely take on an active role in enforcement.
Sopra Steria has long and broad experience in providing IT security solutions both in the public and private sectors. You can count on our expertise to provide a secure environment and comply with the new NIS 2 framework..Don’t hesitate to contact us if you have questions or would like to discuss the application of this new legislation in more detail.