In a joint statement published on May 13, 2022, the Council of the European Union and the European Parliament unveiled outlines of a new agreement (the IRS 2) on measures to ensure a high level of cybersecurity across the Union.
The NIS 2 directive must make it possible to deal with Europe’s growing exposure to cyber threats
With this new directive, the two institutions hope to further improve the resilience and reaction capacities of European entities, to incidents in the public and private sectors and to the Union as a whole. This text, baptized “IRS 2”will replace the current directive on the security of network and information systems (the NIS directive). According to the Council and European Parliament press release, “the revised directive contributes to the reduction of divergences in cybersecurity requirements”.
The European Union strengthens the IT security of financial entities
Concretely, this new version of the RIS directive will allow an update of the list of supervised sectors and activities. It also provides “remedies and sanctions to ensure its proper implementation”. The idea is that all Member States are on the same level of protection, setting minimum rules for regulation and strengthening mechanisms for effective cooperation between competent national authorities. The text must also allow the establishment of the European network for the preparation and management of cyber crises (UE-CyCLONe).
Another important step forward for the European digital agenda
According to Margrethe Vestager, European Commissioner for Competition and specialist in digital issues, “We have worked tirelessly on the digital transformation of our company. Over the past few months, we have put in place a number of fundamental elements, such as digital markets legislation and digital services legislation. And today, Member States and the European Parliament reached an agreement on the NIS 2 Directive. This is another important step in our European digital agenda, which will ensure the protection of citizens and businesses and strengthen their confidence in essential services”.
Under the old NIS Directive, Member States were responsible for determining “which entities met the criteria to be qualified as operators of essential services”. This new version will allow an important evolution: the new SRI 2 directive introduces a rule associated with a ceiling. According to the press release, this means that all medium and large entities operating in the sectors covered by the directive (such as energy, transport, health, digital infrastructure or even tech companies), or providing services that fall within its scope.
This text will not apply to entities carrying out activities in areas such as national defense or security, public safety, law enforcement and the judiciary. It would seem that central banks are also excluded from the scope of the NIS 2 Directive. On the other hand, public administrations, often targeted by cybercriminal groups (as is currently the case in Costa Rica), are affected by the updated directive. Once approved, Member States will have 21 months to incorporate its provisions into national law.