Last straight line for the NIS 2 directive (Network and information security). The text, which has just been adopted by the Council of the European Union, the institution which brings together the heads of the Member States, is soon to be published in the Official Journal of the European Union. Member States now have 21 months to transpose the directive into their legislation.
Increased cyberattacks require a stronger EU response.
EU ministers adopted the new #NIS2 rules which will strengthen the EU’s cybersecurity work. These new rules are part of wider actions to build the EU’s resilience against physical & digital risks. https://t.co/ENP7rWu8JP pic.twitter.com/G5NGhbEsJ6
— EU Council (@EUCouncil) November 29, 2022
“Necessary changes”
Work on the revision of the NIS directive began in December 2020. Barely two years after the transposition of NIS 1 in France, in 2018, after its adoption in July 2016. Anssi, the French cyberfirefighter, then pointed “necessary changes” to deal with a cyber threat “in full transformation”, considering that this revision was “an opportunity to strengthen the level of cybersecurity within the European Union”.
As indicated by the European institutions, the revised directive should allow the harmonization of cybersecurity standards in the various Member States, and therefore clarify things. “It sets the minimum rules for a regulatory framework and defines the mechanisms for effective cooperation”, specifies the Council of the European Union.
10 times more regulated players
The list of sectors and activities subject to obligations has also been revised upwards. Thus, the target has been widened from only players in energy, transport, finance and water to public administrations, digital service providers or even the chemical industry, to name but a few.
Or, “ladlefully”, around “10 times more regulated players in France”, estimated Guillaume Poupard, the boss of Anssi, at the International Cybersecurity Forum in June 2022. However, we do not yet know the scope. exact scope of the revised directive. The European legislator has in fact given each Member State the possibility, during transposition, of extending this scope to regional or local administrations.
Barely adopted, the NIS 2 directive must be supplemented by a new text relating to cybersecurity in preparation. The Cyber Resilience Act, at the stage of the legislative proposal, must strengthen the IT security of digital products by attacking in particular the acute problem of the vulnerability of connected objects.