14 November 2022


On 10 November, the European Parliament formally adopted the proposal for a Directive on measures for a high common level of cybersecurity across the Union (NIS2). The legislation, already agreed between MEPs and the Council in May, will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions.

More entities and sectors will have to take measures to protect themselves. “Essential sectors” such as the energy, transport, banking, health, digital infrastructure, public administration and space sectors will be covered by the new security provisions. During negotiations, MEPs insisted on the need for clear and precise rules for companies, and pushed for the inclusion of as many governmental and public bodies as possible within the scope of the directive.

The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. It also establishes a framework for better cooperation and information sharing between different authorities and member states and creates a European vulnerability database.

After Parliament’s approval, Council also has to formally adopt the law before it will be published in the EU’s Official Journal.

Source: European Parliament