European Union adopts new legislation to strengthen cybersecurity

Amid increased cyberattacks, European Union has adopted the new revised Network and Information Systems directive (NIS2) to strengthen the EU's cybersecurity work. These new rules are part of wider actions to build the EU's resilience against physical and digital risks.

It will strengthen the EU's cybersecurity work by improving the resilience of public and private entities, introducing stricter enforcement and increasing information-sharing, read the EU Council press release.

The move comes after many nations have started realizing the threat posed by Chinese technological advancements, however, many countries still depend on Chinese firms.

China is trying to use "coercive" ways to sabotage the digital infrastructure of nations that are least bothered about the growing threat of Beijing, Voice Against Autocracy reported.

The report further said that China's technological expansion is being led by Chinese firms that have been taking over global surveillance around the world.

Chinese telecommunication firms like Huawei, Hik vision, ZTE Corps, and others in the past 10 years have been funded by the Chinese Communist Party. According to the Voice Against Autocracy report, "China with its peculiar objectives is attempting to by-pass the obstacle of convincing nations to entrust its rise but, on a total contrary, is rather on the path of using coercive means to sabotage the digital infrastructure of nations that are least concerned about the rising Chinese threat."

The Council adopted legislation for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sectors and the EU as a whole, added the press release.

"There is no doubt that cybersecurity will remain a key challenge for the years to come. The stakes for our economies and our citizens are enormous. Today, we took another step to improve our capacity to counter this threat," said Ivan Bartos, Czech Deputy Prime Minister for Digitalization and Minister of Regional Development.

NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health, and digital infrastructure.

The revised directive aims to harmonize cybersecurity requirements and implementation of cybersecurity measures in different member states.

The directive will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents and crises, added the release.

While under the old NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 directive introduces a size-cap rule as a general rule for the identification of regulated entities. This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.

While the revised directive maintains this general rule, its text includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for allowing national authorities to determine further entities covered, added the release.

The text also clarifies that the directive will not apply to entities carrying out activities in areas such as defence or national security, public security, and law enforcement. Judiciary, parliaments, and central banks are also excluded from the scope.

NIS2 will also apply to public administrations at the central and regional levels. In addition, member states may decide that it applies to such entities at the local level too.

Moreover, the new directive has been aligned with sector-specific legislation, in particular, the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts.

A voluntary peer-learning mechanism will increase mutual trust and learning from good practices and experiences in the Union, thereby contributing to achieving a high common level of cybersecurity, added the release.

The new legislation also streamlines the reporting obligations in order to avoid causing over-reporting and creating an excessive burden on the entities covered.

The directive will be published in the Official Journal of the European Union in the coming days and will enter into force on the twentieth day following this publication.

Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law, added the release.