The final version of the European Union’s new Network and Information Security Directive (NIS2) has been published. Entering into force on 16 January 2023, “Ensuring a high common level of cybersecurity in the Union”.
NIS2: Drafting a New EU Cybersecurity Directive
A new version of the Network and Information Security (NIS) Regulations, called NIS2, is currently being developed by the European Union and may enter into force on January 16, 2023. Businesses, state-owned enterprises and authorities will face far-reaching changes next year after the EU parliament passes his new law in November 2022.
Among other things, NIS2 defines security requirements and reporting obligations that companies must meet. In the event of a cybersecurity incident, companies are required to notify the relevant authorities within approximately 24 hours and submit a detailed report within 72 hours.
The new EU Directive targets, among other things, facilities classified as critical facilities according to Directive 2022/2557. However, NIS2 also adds a new category for enterprises. Examples include telecommunications companies, wastewater and waste management, energy suppliers, healthcare providers, and many other areas.
Especially in the area of digital infrastructure, NIS2 includes many new companies. “High Importance Sector”According to a report by heise.de, some estimates put around 160,000 companies and public institutions across the EU and around 20,000 in Germany falling under the new directive.
Implementation by October 2024
NIS2 is also expected to make operating anonymous websites more difficult and nearly impossible within the EU. Top level domains and other web addresses should now be displayed. “Accurate and Complete Domain Name Registration Data”In the future, Domain Owners and Contacts should be able to manage, identify and communicate through this.
Upon request, the data must be made available, for example, to law enforcement agencies and must be provided within 72 hours of receipt of the corresponding request. EU member states have until 17 October 2024 to implement the revised requirements into their national legislation.
In addition, the NIS2 Directive also includes regulations for member states to develop their own national cybersecurity strategies, and states are permitted, but not required, to enact their own cybersecurity laws. To that end, the German government is working on a new CRITIS umbrella law for critical infrastructure that could be passed in 2023.