On Thursday 17 October, the European Commission adopted new implementing rules for the cybersecurity of critical entities and networks, as part of the revised directive on network and information security (NIS2 Directive).
These new rules, set out in an implementing act, detail cybersecurity risk management measures and the cases in which an incident should be considered significant and companies providing digital infrastructures and services should report it to the national authorities.
These rules will apply to specific categories of businesses providing digital services (cloud computing services, data centre services, online marketplaces, search engines and social networking platforms).
The NIS2 Directive is designed to increase the capacity of the public and private sectors to respond to cybersecurity incidents (see EUROPE 12952/1).
In November 2023, ENISA published a report which highlighted the low level of investment in cybersecurity by operators of essential services and digital service providers, despite the revision of the NIS2 Directive.
The adoption of these new rules coincides with the deadline for Member States to transpose the NIS2 Directive into national law, namely 18 October 2024. (Original version in French by Isalia Stieffatre)