On 16 December the European Commission issued its new Cybersecurity Strategy for the Digital Decade together with the Proposal for a revised Directive on Security of Network and Information Systems (NIS2 Directive) and Proposal for a Directive on the resilience of critical entities. (including the Commission’s Impact Assessment on the matter).
Note that on the same day the Report on the impacts of the Commission Recommendations on the Cybersecurity of 5G networks was also published.

The new EU Cybersecurity Strategy is introducing three strategic initiatives:

  • Creation of EU-based solutions aiming to strengthen the Internet security globally;
  • Regulation for an Internet of Secure Things;
  • Regulation for high standards of cyber and information security in EU bodies. 

These strategies will be further promoted by the creation of an EU-wide Cyber Shield and a Joint Cyber Unit.

Furthermore, the Proposal for the NIS2 Directive aims to update the existing regime to better address the cybersecurity challenges of the unprecedented digitization of the last years. The Proposal increases the supervision and enforcement measures; introduces administrative sanctionseliminates the distinction between operators of essential services and digital service providers; and extends the scope of the previous Directive to include more sectors and more services from the currently identified as either essential or important, such as:

  • Providers of public electronic communications networks or services;   
  • Manufacturing of critical products (e.g. pharmaceuticals and medical devices); 
  • Postal and courier services;
  • Waste water and waste management;
  • Digital services (e.g., social networking services platforms and data centre services);
  • Food, and
  • Space;
  • Public Administration.

Lastly the proposal is addressing the security of supply chains by requiring companies to address clearly cybersecurity risks and obligation in their supplier relationships especially for key information and communication technologies.

Similarly, the Proposal for the Directive on the resilience of critical entities expands the scope of the existing EU rules on critical infrastructure to cover 10 sectors while aiming to strengthen their cyber-resilience.

The Commission will be implementing its Cybersecurity Strategy in the following months starting from the negotiations of the Proposals. Once adopted, the Member States will have to transpose the Proposals within 18 months.

At VdA, our Data Protection and Cybersecurity team is available to provide legal advise to organisations in order to prepare them for the challenges arising from the implementation of this new EU Cybersecurity regime.