European Commission Publishes New EU Cybersecurity Strategy
The European Commission and High Representative of the Union for Foreign Affairs and Security Policy have published details of a new EU Cybersecurity strategy, which aims to enhance the EU's resilience to cyber threats and build a cybersecure digital transformation. The overall strategy is set out in a Communication, which is accompanied by two legislative proposals. The first legislative proposal is for a new EU Directive on the resilience of critical entities (the proposed CER Directive), which will enhance and repeal the existing 2008 European Critical Infrastructure Directive (Council Directive 2008/114/EC). The second proposal is for a new Directive on cybersecurity across the EU (NIS2), which would augment and repeal the existing NIS Directive (Directive (EU) 2016/1148). The Commission consulted earlier this year on proposals for each of these legislative proposals.
The proposed CER Directive will impose obligations on Member States to ensure the continued provision of services that are essential to maintain vital societal functions or economic activities. Member States will need to develop a strategy for identifying critical entities and for enabling those entities to enhance their resilience and improve their ability to provide the essential services. The proposed CER Directive will expand the scope of the ECI Directive, which currently only applies to the energy and transport sectors, to include banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, and space. However, where there is an overlap with the proposed NIS2 Directive, the digital infrastructure, banking and financial infrastructure sectors would not be subject to the additional obligations under the proposed CER Directive. The additional obligations under the proposed CER Directive on Member States in relation to these entities would apply.
The NIS Directive is designed to protect the security of EU network and information systems and sets out, among other things, the parameters of national network and information security strategies to be implemented by Member States for providers of "essential services", which include credit institutions (as defined under the EU Capital Requirements Regulation) and financial market infrastructures. With the proposed NIS2 Directive, the Commission is seeking to address the issues resulting from different approaches across the EU to implementation of the requirements, including regulatory fragmentation, cross-border provision of services and level of cybersecurity resilience.
The proposed NIS2 Directive will extend to sectors not included in the NIS Directive and will, subject to certain exceptions, only apply to large and medium-sized companies (as defined in Commission Recommendation 2003/361/EC). Entities will be split between essential and important entities, depending on their sector and the type of services provided. Both essential and important entities will be subject to the same risk management requirements and reporting obligations, however, different supervisory and penalty regimes will apply. Where sector-specific legislation provides for equivalent or more stringent cybersecurity