Written by Haim Ravia and Dotan Hammer
The European Parliament and the Council of the Europe Union have enacted a new directive on cybersecurity in critical infrastructures across the European Union. The new directive, dubbed the NIS2 Directive, is intended to replace the original Network and Information Systems (NIS) directive from 2016. It sets a higher standard of regulatory oversight and enforcement of cybersecurity throughout a wider range of companies and state authorities.
The directive governs, among other matters, the required response to security incidents, information security in the supply chain, vulnerability detection, and encryption. Among the infrastructures that will be subject to the new directive are energy, transportation, banking, health, space, digital infrastructures and public administration, food, medical devices, vehicles, waste and sewage, mail, chemistry, and digital suppliers. According to parliamentary estimates, the new directive will apply to about 160,000 organizations across the European Union.
At the same time, the European Parliament and the Council of the Europe Union enacted a new regulation on unified requirements for the security of information systems that support business processes in financial institutions. The regulation, dubbed the Digital Operational Resilience Act, particularizes the cybersecurity rules for financial institutions. It governs, among other matters, the requirements for managing information and communication technology risks in financial institutions, reports on information security events, sharing intelligence on cyber threats and cyber vulnerabilities, and information security requirements in communications between financial institutions and their suppliers.
Click here to read the Council of the European Union’s press release on NIS2
Click here to read the Council of the European Union’s press release on the Digital Operational Resilience Act.