The New Cybersecurity Directives: NIS2 and CER

SÉRVULO PUBLICATIONS 01 Feb 2023

As part of the implementation of the European Union (“EU”)'s Cybersecurity Strategy[1], on 16 January 2023, the awaited Directive (EU) 2022/2055[2] on measures for a high common level of cybersecurity across the Union ("NIS2"), as well as Directive (EU) 2022/2557[3], on the resilience of critical entities (“CER”), entered into force.

The NIS2 Directive repeals Directive (EU) 2016/1148[4] on measures to ensure a high common level of network and information security across the Union ("NIS") - the first EU-level legal instrument on cybersecurity - and amends Regulation (EU) 910/2014[5], on electronic identification and trust services for electronic transactions in the internal market, and Directive (EU) 2018/1972[6], establishing the European Electronic Communications Code. With the aim of enabling the forthcoming digital transition in various sectors while mitigating the resulting cyber threats and security risks in a cooperative and coordinated manner, the NIS2 Directive imposes stricter and more detailed risk management measures and information obligations on a broader range of entities, namely public administrations and medium and large enterprises in EU Member States, including, inter alia, providers of public communications networks or publicly available electronic communications services. It further applies to a wider range of "essential" sectors, including energy, transportation, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructures, public administration, and space. To prevent non-compliance with these new requirements, the NIS2 also lays down a set of provisions on internal monitoring, supervision of national regulators and harmonized penalties.

The adoption of this new Directive was accompanied by Directive CER, replacing Directive 2008/114/ECC[7] on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. The CER Directive comes to impose the assumption of reinforced technical, operational and organizational measures, in order to ensure the management of network and information security risks, thus guaranteeing the resilience of infrastructures classified as "critical" - namely digital infrastructures - to threats such as natural disasters, terrorist attacks, etc., which, although not constituting cyber-risks - as these are already safeguarded by NIS2- put network and information systems at risk, specifically in regard to their physical and environment components.

The NIS2 and REC Directives must be transposed by the Member States of the EU by October 2024, being advisable that, during this transposition period, stakeholders, in particular, the entities which fall under its scope, prepare their implementation, namely by adapting their cybersecurity and risk management policies.

At last, it should also be noted that, specifically regarding the financial sector, Regulation (EU) 2022/2554[8] on digital operational resilience for the financial sector (commonly referred to as the Digital Operational Resilience Act or DORA) was also approved, resulting in special rules to ensure the (cyber)security of networks and services that support the activity of financial entities in the European Union.

Ana Mira Cordeiro | ami@servulo.com

Inês Pereira Lopes | ipl@servulo.com