Cybersecurity, what will change with the Nis 2 Directive in the EU

17 May 20222 years ago babelfish

Agreement reached on Nis 2 Directive: main changes in legislation and stakeholders. The analysis by Lucrezia Falciai, member of the Italian Atlantic Committee

Among the effects of the conflict between Russia and Ukraine is that of having emphasized the growing importance of the cybersecurity of critical infrastructures. In fact, although these are constantly in the crosshairs of state and non-state actors who exploit cyberspace for intelligence activities or as a means of psychological pressure, the ongoing clash has shown how they can constitute real strategic targets that make it possible to facilitate the activities carried out on traditional terrains.

As highlighted by a recent report published by Microsoft, cyberattacks are providing operational support to the confrontation. On the merits, this report highlights how, since the beginning of the invasion, there have been several actors with interests aligned with those of Moscow who have carried out more than 237 operations against Ukraine. These mostly occurred in conjunction with Russian war operations, although it is unclear whether the coordination was voluntary or not.

In the wake of the numerous attacks that are also affecting Member States of the European Union, this seems to have pushed the foot on the accelerator in terms of cybersecurity. In fact, in April a draft regulation was published aimed at increasing the levels of cyber security of European institutions, bodies and agencies. Furthermore, at the end of last week, the Parliament reached an agreement with the member states on the so-called Nis 2 Directive, containing measures for a common high level of cybersecurity in the Union, which will update that of 2016 , which, in a similar way, will its objective was to increase the security levels of the Member States' networks and information systems.

Looking at the main changes in the legislation and, therefore, at the main obligations that will be imposed on public and private subjects that will be included in its scope, the Nis 2 Directive will apply to medium and large subjects and, compared to its previous one version, will encompass a greater number of sectors deemed critical for the economy and society, including providers of public electronic communications and digital services, wastewater and waste managers, manufacturers of critical products, postal services and shipping companies, as well as central and regional public administrations. Furthermore, the number of subjects operating in the health sector affected by the new legislation will be expanded. For example, medical device manufacturers will be included, especially given the growing threats that emerged during the Covid-19 pandemic.

The broadening of the scope of the new rules, effectively obliging more entities and sectors to adopt new cyber risk management measures, will help to increase the level of cyber security in Europe in the medium and long term. To this end, the Nis 2 Directive will strengthen the cybersecurity requirements imposed on companies, addressing, inter alia, the issue of supply chain security and relationships with suppliers.

In addition, a significant novelty is the introduction of a liability of the top management in the event of non-compliance with the obligations imposed by the legislation and will simplify the reporting obligations of IT incidents.

Ultimately, the objective of the Nis 2 Directive is to harmonize the approach to the matter in the Member States, guaranteeing uniformity also in terms of sanctions. In addition, particular attention will be paid to sharing information on major incidents and cooperation in cyber crisis management both at national and European level.

In our country, the task of supervising the correct application of the legislation by public and private entities will most likely be the responsibility of the newly established National Cybersecurity Agency, which, to date, is, inter alia, the competent national authority and single point of contact. on the security of networks and information systems.

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/cybersecurity-cosa-cambiera-con-la-direttiva-nis-2-nellue/ on Mon, 16 May 2022 07:46:41 +0000.