European Cybersecurity Legislation Updated
The revised Network and Information Security (“NIS 2”) Directive entered into force on 16 January 2023, and Member States have 21 months, until 17 October 2024, to transpose the measures into national law. To this end, organizations should already start preparing their journey toward compliance.
The first piece of European legislation on cybersecurity was the Network and Information Security (“NIS”) Directive adopted during 2016, further transposed into the Romanian legislation through Law no. 362/2018 on ensuring common high-level security of networks and IT systems.
However, due to multiple cyberattacks and other threats posed by digitalisation, the European legislator developed the NIS 2 Directive, which aims at strengthening imposed security requirements and introducing more supervisory measures and stricter enforcement requirements.
Through its many updates, NIS 2 applies to a larger group of entities. In this sense, not only does it enlarge the category of so-called “essential entities”, but it also adds an additional category, understood as “important entities”, which must apply European harmonized cybersecurity rules. Both essential and important entities are subject to the same cybersecurity management and reporting requirements, but different supervisory and penalty regimes apply.
In this sense, by 17 April 17 2025, Member States must identify entities which fall within either of these categories, case in which it might be needed that companies have to individually identify whether their services fall within such categories and register in this sense before the deadlines set by each Member State.
NIS 2 also assigns obligations to management bodies of the targeted entities and sets potential penalties when failing to apply cybersecurity requirements. More precisely, a package of cybersecurity risk-management measures whose implementation must be further monitored should be approved. Moreover, members of the management bodies should also undergo trainings to gain skills to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
Reporting obligations are also strengthened under NIS 2, by implying the need to report any significant incident, as understood by the same normative act, to the member state’s computer security incident response teams (“CSIRT”) or the relevant supervisory authority.
Considering that this European legislative act is in the form of a Directive that needs to be transposed during a given period, both Member States and potential entities which may fall within its scope have to ensure a safe and stable process in compliance with all the obligations thus imposed.
Through all its improvements, NIS 2 should contribute to a safer cyber space which may ultimately level up the functioning of the internal market.