EU Parliament approves NIS2 directive, helps increase cybersecurity levels in long run across the region

The European Union (EU) Parliament and the Council have approved legislation that sets tighter requirements for businesses, administrations, and infrastructure with measures that work towards a high common level of cybersecurity across the Union. By updating the Network and Information Security (NIS) directive, the EU Parliament expands the scope to be covered by the proposed NIS2 directive, repealing a 2016 directive.  

The new rules call upon EU countries to meet stricter supervisory and enforcement measures and harmonize their sanctions were approved by Members of the European Parliament (MEPs) on Thursday. The NIS2 directive is set to push more entities and sectors to take consistent measures, strengthen the security requirements, and address the security of supply chains. It will also streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU.  

The NIS2 directive introduces new rules to advance a high common level of cybersecurity across the EU – both for companies and countries. It also strengthens cybersecurity requirements for medium-sized and large entities that operate and provide services in critical sectors.

An update of the 2016 NIS directive, NIS2 directive aims to improve clarity and implementation, and address fast-paced developments in this area. It covers more sectors and activities than before, streamlines reporting obligations, and address supply chain security. After approval by Parliament on Nov. 10, it will also need to be approved by EU countries in the Council, after which member states will have 21 months to implement it.

The legislation, already agreed upon between MEPs and the Council in May, will set tighter cybersecurity obligations for risk management, reporting obligations, and information sharing. The requirements cover incident response, supply chain security, encryption, and vulnerability disclosure, among other provisions. Additionally, more entities and sectors will have to take measures to protect themselves. Essential sectors such as energy, transport, banking, health, digital infrastructure, public administration, and space sectors will be covered by the new security provisions. However, it does not include national and public security, law enforcement, or the judiciary.

“Ransomware and other cyber threats have preyed on Europe for far too long. We need to act to make our businesses, governments, and society more resilient to hostile cyber operations” Bart Groothuis, (Renew, NL), Rapporteur and lead MEP, said in a media statement. “This European directive is going to help around 160,000 entities tighten their grip on security and make Europe a safe place to live and work. It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale,” he said.

Groothuis added, “this is the best cyber security legislation this continent has yet seen because it will transform Europe to handling cyber incidents pro-actively and service orientated.” 

During negotiations, MEPs insisted on the need for clear and precise rules for companies and pushed for the inclusion of as many governmental and public bodies as possible within the NIS2 directive’s scope. 

The NIS2 directive will also protect so-called ‘important sectors’ such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles, and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. It also establishes a framework for better cooperation and information sharing between different authorities and member states and creates a European vulnerability database.

The law applies to public administration at the central and regional levels but not to parliaments and central banks. It requires more entities and sectors to take cybersecurity risk management measures, including providers of public electronic communications services, social media operators, manufacturers of critical products including medical devices, and postal and courier services.

The NIS2 directive also sets stricter cybersecurity obligations for EU countries when it comes to supervision. It improves the enforcement of those obligations by harmonizing sanctions across member states. It also looks towards improving cooperation between EU countries, including on large-scale incidents, under the umbrella of the EU Agency for Cybersecurity (ENISA).

MEPs have adopted the text with 577 votes to 6, with 31 abstentions. Now that the Parliament vote is completed and approved, the Council has to formally adopt the law before it will be published in the EU’s Official Journal.

On Thursday, the EU Commission and the High Representative also proposed a joint communication on an EU Cyber Defence policy and an Action Plan on Military Mobility 2.0. The EU Policy on Cyber Defence works on ​​enhancing the EU’s ability to prevent, detect, deter and defend against cyberattacks aimed at the Commission and its member states using all means available. It also addresses the deteriorating security environment following Russia’s aggression against Ukraine and works on boosting the EU’s capacity to protect its citizens and infrastructure.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.