NIS2 (the Second Network and Information Security Directive) aims to boost the overall level of cyber security in the EU, replacing the original NIS Directive. It will apply to far more companies and sectors - and the fines are bigger. The implementation deadline by EU Member States is October 17th 2024.
It applies to EU companies but also entities outside of the EU that provide services or have activities in the EU. It will impact e.g. data centers, healthcare, cloud and trusted service and communications providers.
Contrary to the original NIS Directive, NIS2 introduces supply chain responsibility and companies must be able to account for their handling of IT security. Your company is covered by the NIS2 Directive if it’s active in one of the sectors listed in Annex I or Annex II.
If you’re covered by NIS2, your company has to prepare for stricter requirements regarding risk management, business continuity, and reporting to the authorities.
As mentioned, the fines under NIS2 have increased significantly with fines of up to €10,000,000 (or 2% of total international turnover) can be imposed.
For more details, here’s a helpful FAQ drafted by the EU.
DORA (EU’s Digital Operational Resilience Act) is specific to the financial sector.
To comply with DORA, financial service providers will have to comply with new obligations - including e.g. maintaining robust third-party risk management as well as ensuring updated routines for incident reporting.
Although DORA doesn’t come into full effect until 2025, reporting obligations across the EU are already being developed for businesses that fall within its scope.
The Cyber Resilience Act is the centerpiece of the EU's latest cyber security package. It complements existing sector-specific legislations, such as NIS2, DORA and others.
Political agreement on CRA was reached in December 2023 with formal approval expected in early 2024. After this, there’ll be a phased transition period with the vulnerability reporting obligations coming into effect in late 2025 and the remaining obligations following in in early 2027.
CRA introduces security rules for consumer digital services (particularly connected devices). It will regulate product security at supplier level, imposing obligations on manufacturers, importers and distributors of “products with digital elements”.
"Digital elements" refers to most software and hardware products and their remote data processing solutions - ranging from standard software solutions (e.g. text and photo editing software, games, operating systems, etc.) to products such as home automation devices, smart toys, routers, and more.
Sign up for a regular dose of news and updates from the legal landscape.