The European Parliament recently adopted new legislation to strengthen digital resilience in Europe. Two new legislative instruments require companies and governments to strengthen their protection against cyber-attacks, and introduce stricter supervisory and enforcement measures. On 28 November 2022, the EU Council formally adopted both the NIS2 Directive and the Digital Operational Resilience Act. This adoption is the final step in the legislative process.
The first instrument is the new Network and Information Security Directive, also known as the NIS2 Directive. It aims to regulate a common level of cybersecurity to better protect governments, businesses and organisations in Europe from cyber-attacks. The NIS2 Directive is an update of the previous Network and Information Security Directive of 2016 and covers more sectors and activities. It aims to stop the fragmentation of cybersecurity in the single market by creating a stronger framework with better cooperation and information exchange between EU member states.
Besides companies and organisations in so-called ‘essential sectors’ - such as energy suppliers, transport, banking, healthcare, digital infrastructure, public administration and space sectors - medium-sized and large companies of ‘important sectors' are also covered by the new rules. Such sectors include digital providers (such as social media platforms and online marketplaces), chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles, postal services, waste management, and others.
A second instrument is the Digital Operational Resilience Act or ‘DORA’. This Regulation aims to make the European financial sector more resilient to digital disruptions, cyber-attacks and other cyber incidents, and will function as a ‘lex specialis’ in case of overlap with the NIS2 Directive.
Both instruments contain notification obligations “without undue delay” in case of incidents as well as substantial fines in case of non-compliance with the new regulatory framework.
The NIS2 Directive and DORA will be published in the Official Journal of the European Union in the coming days and will enter into force on the twentieth day following their publication. Member States will have 21 months from the entry into force of the NIS2 Directive in which to incorporate the provisions into their national law. DORA shall apply with direct effect 24 months from the date on which it enters into force.
Please contact Karel Janssens for further information about this topic and/or for general legal advice relating to privacy and data protection.