Overview
On December 16, the European Union released two proposals, one on NIS 2 and the other on cyber resilience of critical entities (read "infrastructures"). We have provided a short summary of what to expect:
- Significant extension of the entities in scope of the new NIS directive – more sectors covered and no need for Member States’ designation of targeted entities. New terminology; essential versus important entities. Similar trend under the Critical Infrastructure directive.
- New requirements for supply chain management, new incident preparation and reporting requirements (24 hours timeframe to report to authorities and news communication requirements to affected users of the services).
- Extraterritorial reach and higher fines for non-compliance across the EU Member States (10 mio or 2% of worldwide turnover).
- New framework for threat information sharing (including new governance principles).