NIS2: EU cybersecurity directive comes into force in mid-January 2023

The European Union’s new Network and Information Security Directive (NIS2) is now available in final text form. It will enter into force on January 16, 2023, and is intended to “ensure a high common level of cybersecurity in the Union”.

NIS2: New EU cybersecurity directive drafted

The new edition of the network and information security (NIS) rules, called NIS2, has been now formulated by the European Union and may enter into force on January 16, 2023. After the EU Parliament passed the new law in November 2022, companies, state-owned enterprises and authorities will be faced with far-reaching changes in the coming year.

Among other things, NIS2 regulates the security requirements and reporting obligations that companies must fulfill. In the event of cyber security incidents, companies will have to inform the relevant authorities roughly within 24 hours and then submit a detailed report within 72 hours.

The new EU directive covers, among other things, facilities that have been classified as critical facilities in accordance with Directive 2022/2557. However, NIS2 also adds new categories for companies – including, for example, telecommunications companies, wastewater and waste management, energy suppliers, healthcare providers and many other areas.

In the digital infrastructure sector in particular, NIS2 includes many new companies that fall under the “high criticality sectors”. According to a report by heise.de, this includes, by some estimates, nearly 160,000 businesses and public institutions across the EU, and nearly 20,000 in Germany, that fall under the new directive.

• Also interesting: Intelligent screws secure critical infrastructures and radio status

Implementation by October 2024

NIS2 is also expected to make it more difficult and nearly impossible to operate anonymous websites within the EU. Top level domains and other web addresses will in future have to show “accurate and complete domain name registration data”. In the future, domain owners and contact points must be able to be managed, identified and contacted via this.

Upon request, the data must be made available to law enforcement agencies, for example, and within 72 hours of receipt of a corresponding request. EU member states have until October 17, 2024 to implement the revised requirements into national law.

In addition, the NIS2 directive also includes regulations on the creation of member states’ own national cybersecurity strategies, while states are allowed, but not required, to enact their own cybersecurity laws. To this end, the German government is working on a new CRITIS umbrella law for critical infrastructure, which could be passed in 2023.