The new European directives NIS 2 and CER aim to achieve a high common level of cybersecurity across the EU and ensure the continuity of essential services. The clock is ticking: by 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive. Those measures must be applied from the following day, 18 October 2024.
Despite the cybersecurity sector’s market value estimated at over €130 billion and an annual growth rate of 17%, Europe remains ‘cybervulnerable.’ Reports, including one from Waterfall Securities, indicate a dramatic rise in cyberattacks, predicting that up to 15,000 companies could be impacted within the next five years.
The challenge is not only about vulnerability but also economic impact. Cybercrime’s annual cost was estimated at €5.5 trillion by the end of 2020, with 60% of these crimes driven purely by economic gain. The threat is set to grow in number and sophistication; by 2025, it’s estimated that 41 billion devices will be connected to the Internet of Things, necessitating an open and secure cyberspace that fosters greater trust among global citizens.
Moreover, military conflicts, such as the ongoing situation in Ukraine, have galvanized hacktivists, cybercriminals, and other shadowy groups with state-backed interests. Prior to its invasion of Ukraine, Russia had launched disinformation and misinformation campaigns to sway public opinion. By June 2022, Russia had disabled 15% of Ukraine’s internet infrastructure, according to the European Council assessment.
A Joint Response is Lacking
Despite ongoing threats, there is a prevailing sense that the EU has yet to implement an effective joint cybersecurity response. The European Commission has pinpointed several issues, including the inadequate cyber resilience among companies within the EU and a varied perception of threats among member states, leading to a disjointed and uncoordinated response.
The NIS 2 and CER Directives are designed to enhance both cyber and physical security across the EU, aiming to bolster the resilience of critical entities. These two closely related directives are expected to have a significant impact, introducing stricter supervision and compliance measures. They emphasize enhanced coordination in managing incidents and security crises, improve the protocol for notifying vulnerabilities, and establish a more stringent sanctioning framework.
NIS 2, A New Horizon for European Cybersecurity
The NIS 2 Directive, standing for Network and Information Security 2, is aimed at fortifying security requirements across various entities. It mandates measures to secure supply chains and supplier relationships and standardizes the processes for reporting and sharing information on incidents. Additionally, it introduces the European Crisis Support Network (EU-CYCLONe).
The Directive updates the previous regulations on network and information systems security, eliminating the distinction between operators of essential services and digital service providers. It introduces a new categorization of ‘strategic’ entities into two groups—essential entities and important entities—based on their sector importance and service type, with each category subject to distinct supervisory regimes.
Under NIS 2, strategic sectors are classified into ‘High Criticality’ and ‘Other Critical Sectors’:
The ‘High Criticality’ ones are the following:
- energy (electricity, district heating and cooling, oil, gas and hydrogen
- transport (air, rail, river and road)
- banking
- financial market infrastructures
- health, including the manufacture of pharmaceuticals and vaccines
- drinking water-wastewater
- digital infrastructures (internet exchange points; DNS service providers; TLD name records…)
- ICT service management (managed service providers and managed security service providers)
- public administration
- space
–
And this is the list of the ‘Other critical sectors’:
- postal and courier services
- waste management
- chemicals
- food
- medical device manufacturing
- computers and electronics
- machinery and equipment
- motor vehicles, trailers and semi-trailers and other transport equipment
- digital suppliers (online marketplaces, online search engines and social media service platforms)
- research organizations.
–
Essential entities, as defined by EU member states, include those from the ‘High Criticality’ sectors along with qualified trust service providers, domain name registries, DNS service providers, providers of public electronic communications networks, and public administration entities.
Additionally, any entity from the ‘Other critical sectors’ identified as essential by a member state during the transposition of the directive into national legislation is included.
Conversely, ‘important entities’ encompass those from both ‘High Criticality’ and ‘Other Critical Sectors’ that are not designated as essential.
The CER Directive, Protection of Essential Services in Europe
The CER Directive supersedes the 2008 European Critical Infrastructure Directive, focusing on enhancing and harmonizing the resilience strategies and plans of Member States and organizations. It mandates the implementation of specific measures to ensure the unobstructed provision of essential services critical for maintaining the social functions and vital economic activities of each territory.
Accordingly, the Directive ensures that critical entities are equipped to prevent, resist, absorb, and recover from a variety of disruptive incidents, including natural hazards, accidents, terrorism, insider threats, and health emergencies.
The CER Directive encompasses entities across 11 highly strategic sectors, including energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food.
What will resilience strategies consist of? They should include:
- strategic objectives and priorities
- a governance framework to achieve those objectives
- a description of the measures needed to improve the overall resilience of critical entities
- a list of the main authorities and stakeholders involved in the implementation of the chosen strategy.
–
The primary distinction between NIS 2 and the CER Directive lies in their scope: while NIS 2 is focused specifically on cybersecurity, the CER Directive acknowledges that significant disruptions also affect physical infrastructures such as facilities, roads, railways, and power generation systems, which are crucial for delivering essential services to the population.
How NIS2 and CER Impact Businesses in the EU
The NIS2 and CER Directives are poised to establish a critical framework for cybersecurity and physical security across the European Union. These rules aim to enhance the management of large-scale security incidents and crises, including natural disasters, terrorist attacks, internal threats, and sabotage.
The new regulations expand their scope to include small and medium-sized organizations (SMEs). Member states have the discretion to apply these rules to smaller entities that, despite their size, present clear vulnerabilities or are integral to critical supply chains.
While primarily targeting large strategic companies, the directives also impose new cybersecurity requirements on SMEs within critical sectors’ supply chains. Moreover, providers of digital services, including online platforms and e-commerce sites, must also adhere to specific stipulations of the directives.
Risk assessments must become more stringent and effective, ensuring the continuity of services. Critical entities are required to notify significant incidents to both a designated response team or authority and their service recipients. They must issue early warnings within 24 hours, a follow-up report after 72 hours, and a comprehensive final report within 30 days.
Under the CER Directive, authorities are tasked with assessing both natural and human-induced risks to essential services. This includes risks arising from interdependencies between sectors, which is particularly critical for cross-border groups with subsidiaries both inside and outside the EU, affecting supply chain management.
Mandatory measures include ensuring the physical protection of facilities and critical infrastructures, such as fences, barriers, and tools; responding to and mitigating incidents; and managing employee safety while raising staff awareness about safety protocols.
Should an incident significantly disrupt the provision of essential services in six or more Member States, authorities must inform the Commission.
Additionally, company management is responsible for implementing these measures and must regularly engage in training on cybersecurity and physical security risk management.
Next Steps and Key Dates for the Transposition of both Directives
For the NIS 2 Directive, member states are required to notify the European Commission of their applicable sanctioning regimes before January 2025. Furthermore, by April 2025, they must compile and submit a list of both essential and important entities, including those providing domain name registration services.
Significant penalties have been established for non-compliance: fines may reach up to €10 million or 2% of the global turnover for essential entities, and up to €7 million or 1.4% of the turnover for large entities.
Under the CER Directive, member states have until 17 January 2026 to develop a comprehensive resilience strategy, which includes risk assessment frameworks and any relevant existing plans or documents. They must identify the affected entities by no later than 17 July 2026.
Thereafter, and within a year, the Commission will submit a report to the European Parliament and the Council, evaluating the extent to which each Member State has implemented the required measures.