To strengthen and support cybersecurity in the European Union, the new EU Cybersecurity directives NIS (Network and Information System) was launched, Directive (EU) 2016/1148.
Although the Directive has significantly strengthened the EU’s cyber resilience, it also revealed shortcomings and some inconsistencies in the application.
This necessitated a revision and adaptation to the rapidly advancing digital transformation, as well as the associated coordinated responses to cyber threats.
The introduction of a new system
The new directives establish an expanded and more differentiated scope.
This is intended to help create uniform criteria for companies.
Exceptions are foreseen for institutions in the field of national security, considering data protection rules.
A differentiated system for “essential” and “important” entities will be introduced:
Essential facilities, defined according to the new EU Cybersecurity directives
- Energy (Electricity, District heating and cooling, Petroleum, Natural Gas, Hydrogen)
- Traffic (Air traffic, Rail transport, Navigation, Road traffic)
- Banking
- Financial Market Infrastructure
- Health Service
- Drinking Water
- Sewage
- Digital Infrastructure
- Management of ICT Services (B2B)
- Public Administration
- Space
Important facilities
- Postal and courier services
- Waste Management
- Production, manufacture, and trade of chemical substances
- Production, processing, and distribution of food products
- Manufacturing/Manufacturing of goods (Manufacture of medical devices and in Vito diagnostics, Manufacture of computers, electronic and optical products, Manufacture of electrical equipment, Mechanical engineering, Manufacture of motor vehicles and semi-trailers, other vehicles construction)
- Digital Service Provider
- Research
Information exchange and support
Member States and the Commission are encouraged to establish minimum standards for cybersecurity risk management and reporting without compromising the Commission’s powers in various areas.
Sector-specific Union rules that are stricter or equivalent may take precedence.
Member States must ensure the effective handling of incidents.
Expertise and resources of the CSIRTs
Each Member State should have at least one Computer Security Incident Response Team (CSIRT) to build trust and promote cross-border cooperation.
The CSIRTs must have the necessary expertise and resources to process sensitive data and monitor networks securely in accordance with EU data protection rules.
The promotion of open standards, partnerships, and support for small and medium-sized enterprises (SMEs) are also essential.
| small business (KU) | < 50 employees | ≤ €10 million in sales |
| medium-sized enterprise (MU) | < 250 employees | ≤ €50 million in sales |
| large enterprise (GC) | ≥ 250 employees | > €50 million in sales |
Cybersecurity Initiative at Union level
In the event of cybersecurity crises, strategies and plans are to be developed in coordination with other relevant actors, such as the European Union Agency for Cybersecurity (ENISA).
The goal is to set up a European vulnerability database.
This database will work with existing systems, such as the Common Vulnerabilities and Exposures (CVE) system, to ensure efficiency.
Protection of Network and Information systems
Focus is also given to the protection of Network and Information Systems.
Each Member State should draw up a plan for incident preparedness and response.
Companies must take measures to ensure the continuity of their services, and EU member states must take measures to protect their critical infrastructures.
Raising Transparency and public awareness
Another crucial element of the directive is the creation of transparency through the disclosure of security incidents.
This helps build public trust and raise awareness of cybersecurity risks.
Education initiatives and awareness-raising campaigns are designed to help increase citizens’ digital resilience and provide them with the knowledge they need to navigate the internet safely.
Preventive measures and proactivity
Developing proactive threat identification and response capabilities is essential. Cybersecurity incident reporting is a key element of this proactive approach.
Integrity of the Internet and Messaging Services
Both internet and messaging services are fundamental components of the digital society.
Their integrity must be ensured through the application of robust security standards.
Access to a secure means of communication is a fundamental right, and the protection of users’ privacy and data is a top priority.
Cooperation with third countries and international organisations
The EU is seeking to intensify cooperation with third countries and international organisations.
This includes sharing best practices, sharing information about threats, and developing common responses to global cybersecurity challenges.
Harmonisation of cybersecurity practices and supply chain risks
Another key concern of the directive is the harmonisation of cybersecurity practices between online service providers and the management of supply chain risks.
Service providers must ensure that their systems and those of their partners meet the requirements and that solid security standards are adhered to, throughout.
Enforcement and penalties
Competent authorities must have the power to intervene directly in the event of serious cyber threats.
Member States can impose both criminal and administrative sanctions to ensure compliance with the Cybersecurity Directive.
The penalties must be effective, proportionate, and dissuasive.
| Essential facilities | Important facilities |
| Regular, targeted security checks | Review only in case of reasonable suspicion |
| Spot check | On-the-spot inspections and external ex-post oversight measures |
| Fine: €10 million or 2% of global sales (whichever is higher) | Fines of €7 million or 1.4% of global sales |
Review and Update
The directive guidelines are regularly reviewed.
This is to ensure that it remains relevant and effective. Especially given the ever-evolving technology landscape.
How Emenda can help
It is known that the same 10 software vulnerabilities have caused more security breaches in the last 20 years than any other vulnerabilities. And yet, many companies and organisations still opt for the approach of fixing vulnerabilities only after the scan, after the intrusion, or, worse still, after the event!
In this world where code is at the heart of so many everyday interactions – from banking to healthcare, from transportation to retail – Secure Code Warrior raises its (metaphorical) shield developing a human-led approach that strengthens the security specialist in every programmer.
Secure Code Warrior makes improving a developer’s secure coding skills a positive and engaging experience. Recognising that timely and relevant security knowledge for developers is essential to the success of DevSecOps, empowering them not only to find vulnerabilities, but also to acquire the knowledge and skills to fix them – or, better still, preventing them from ever occurring in the first place.
By inspiring a global community of security-conscious developers to adopt this preventive, secure coding approach, Secure Code Warrior aims to pioneer a human-led, human-centric solution to improve security and eliminate poor coding patterns and the 10 most common vulnerabilities (and of course also the others), forever.
Contact us today and make software security an integral part of your development process: www.fr.emenda.com/trial
Source:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0823&qid=1695653925917