From stricter reporting rules to a new cyber threat hub, the EU is upgrading its cybersecurity law

The European Union is set to make major upgrades to its bloc-wide cybersecurity framework for the first time in years.

In November, the EU Parliament and European Council approved the implementation of a new policy known as the Network and Information Security Directive 2 (NIS 2.0). The framework will replace the original NIS Directive, which was introduced in 2016 as the first EU-wide cybersecurity legislation.

“We need to act to make our businesses, governments and society more resilient to hostile cyber operations,” Bart Groothuis, the lead member of the European Parliament, said in a statement. “This European directive is going to help around 160,000 entities tighten their grip on security and make Europe a safe place to live and work.”

NIS 2.0 aims to bolster the EU’s cybersecurity capabilities and resilience by expanding its coverage to include more sectors as well as increasing and harmonizing baseline security requirements for member states. Notably, this expansion includes a focus on critical infrastructure like energy systems, health care networks and transportation services.

The directive also introduces new mechanisms to better facilitate cooperation among national authorities and establishes a new centre to oversee a coordinated response to major cyber attacks. The centre is called the European Cyber Crises Liaison Organisation Network—or the EU-CyCLONe.

“If we are being attacked on an industrial scale, we need to respond on an industrial scale,” Groothuis added.

Under the NIS 2.0 directive, the EU will also join the United States and other countries in mandating stricter incident reporting requirements. The legislation will mandate that organizations across the board report cyber breaches and attacks within 24 hours of becoming aware of the incident. Companies that fail to do so can face steep fines.

NIS 2.0 has been in development for several years and is part of a wider EU campaign to engage stakeholders and bolster cybersecurity measures more broadly.

In fact, in 2021, the EU requested the World Economic Forum’s Cyber Resilience in Electricity community to provide comments on plans to improve cybersecurity legislation. “In view of the unprecedented digitalization in recent years, the feedback from member states and society, and the need for a more harmonized implementation across member states, the time has come to refresh it,” the Forum stated in its report.

Already, the EU has introduced new legislation to strengthen security requirements for digital hardware and software products and critical energy infrastructure.

Yet NIS 2.0 is being advanced as cyber attacks continue to rise in prevalence and sophistication—and continue to target critical infrastructure systems. In February, for example, major oil refining hubs in Belgium and the Netherlands were hit with a cyber attack. The hack interrupted the trade of refined products across the region.

“There is no doubt that cybersecurity will remain a key challenge for the years to come. The stakes for our economies and our citizens are enormous,” Ivan Bartoš, the Czech deputy prime minister for digitalization and minister of regional development, said in a statement after the Council’s vote, adding that NIS2 is “another step to improve our capacity to counter this threat.”

NIS 2.0 is expected to come into effect in the coming weeks and EU member states will then have 21 months to incorporate the new provisions into their national legislation. EU-CyCLONe officials, however, have already begun large-scale cyber attack simulations to increase readiness.

“Cyberattacks are everywhere,” Thierry Breton, the EU commissioner for the internal market, said in a statement on the cyber training exercise. “It is our shared responsibility to work collectively in preparing and implementing rapid emergency response plans.”

Moreover, the Forum Cyber Resilience communities continue to foster multistakeholder dialogues to enhance and drive collective action and raise awareness to strengthen cyber resilience at a global scale. These incudes, among other initiatives, a cybersecurity learning lab that aims to help organizations across sectors understand and mitigate their cyber risk.