EU’s cybersecurity leap: the NIS2 Directive and its local transposition
Written By
Associate
Germany
I am a seasoned attorney situated at the Bird & Bird Düsseldorf office, with a specialisation in cybersecurity and data protection law, and a co-head of the Bird & Bird International Cybersecurity Steering Group.
Of Counsel
Netherlands
I am a Principal Regulatory Counsel in our Regulatory & Public Affairs practice in the Netherlands and Brussels. I have a focus on tech and comms and digital markets regulation, drawing on in-depth business knowledge and extensive experience in TMT and public administration.
Related
Practices
Sectors
- Automotive
- Aviation & Aerospace
- Defence & Security
- Energy & Utilities
- Financial Services
- Life Sciences and Healthcare
- Media, Entertainment and Sport
- Retail and Consumer
- Technology & Communications
Trending Topics
The NIS2 Directive marks a significant advancement in the European Union's commitment to enhancing cybersecurity across Member States. By 17 October 2024, all EU Member States were required to adopt and publish the necessary measures to implement the Directive, with these measures coming into effect on 18 October 2024. This timeline reflects the urgency with which the EU seeks to bolster its cybersecurity framework in response to the increasingly complex and pervasive cyber threats facing its member countries.
The new NIS2 rules contain specific cybersecurity requirements which in scope entities must comply with, including:
Importantly, the NIS2 Directive follows a minimum harmonisation approach: while all Member States must implement new national laws to reflect the NIS2 Directive, the Directive does not preclude Member States from adopting or maintaining provisions ensuring a higher level of cybersecurity.
Consequently, businesses should closely follow the national implementation of the new NIS2 Directive in jurisdictions in which they are regulated, so that appropriate account of the correct set of rules can be considered when implementing new requirements. We have a fixed price monitoring service for those wishing to track developments in one or more EU jurisdictions here.
Additional points to consider, including inter alia:
- Article 21(5) sub-para. 1 and Article 23(11) sub-para. 2: establishes a framework for the Commission to adopt implementing acts by 17 October 2024, detailing the technical and methodological requirements and further specifying the cases in which an incident shall be considered to be significant for various service providers. This includes inter alia cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines, and social networking services platforms.
- Article 23(11): grants the Commission the authority to adopt further implementing acts that specify the type of information, the format, and the procedure for notifications submitted in compliance with the Directive. This aspect of the Directive emphasises the importance of clarity and uniformity in reporting processes, which will facilitate effective oversight and ensure that the diverse range of service providers meets the necessary cybersecurity standards.
Our NIS2 Directive Tracker with the status of its implementation into national law can be found here.
If you would like to access more information and tools relating to cybersecurity, please visit our homepage here.
Our Bird & Bird Connected Newsletter provides further information on the latest developments in cybersecurity,subscribe here.
