NIS2 cyber laws approved by EU legislators

NIS2 builds on the original NIS Directive which took effect in the EU in 2018. It is broader in its scope than the original directive, meaning more organisations across both the public and private sectors will be subject to cybersecurity risk management and incident reporting obligations than before.

Businesses across sectors such as energy, transport, health, and digital infrastructure, as well as waste management, chemicals, food, and manufacturers such as those in the automotive and medical device markets, are among those that will be impacted by the legislation.

Stuart Davey, cyber expert at Pinsent Masons, said: “Whilst member states have 21 months in which to implement NIS2 in their jurisdictions, organisations may wish to make an early start on working on their NIS2 compliance programmes, particularly those in sectors not previously caught by similar cybersecurity regimes.”

Organisations subject to the NIS2 regime will be obliged to “take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services”.

Specific cybersecurity measures endorsed in the legislation include policies on risk analysis and information system security, those regarding incident handling, access control policies and the use of multi-factors authentication or continuous authentication solutions. Supply chain security must also be considered, including the vulnerabilities “specific to each direct supplier and service provider” as well as “the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures”.

The precise cybersecurity measures each organisation must implement to comply with their legal obligations under NIS2 will depend on factors such as their size, exposure to risk, the likelihood of occurrence of incidents and their severity, and the availability and cost of implementing technology or international…