The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive that came into force in 2023.[1] It modernised the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape. By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.
The Directive on measures for a high common level of cybersecurity across the Union (the NIS2 Directive) provides legal measures to boost the overall level of cybersecurity in the EU by ensuring that Businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.
Being a Directive, NIS2 does not apply directly to the FAME platform, instead national provisions implementing such Directive should be considered. Nevertheless, the NIS2 Directive provides principles and high-level guidance for any entity dealing with cybersecurity.
[1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
Legal basis for NIS2 Directive
Applies to both public and private entities referred to in the European Union Annex I or II , those that qualify as medium sized or larger enterprises under European Union article 2 in Annex of recommendation 2003/361/EC
Key Definitions
Cybersecurity; the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats.
Network and information system; can mean:
- An ‘electronic communications network’ as described under article 2(1) of Directive 2018/1972.
- Any device or group of interconnected or related devices, one or more of which, pursuant to a programme, conduct automatic processing of digital data.
- Digital data stored, processed, retrieved, or transmitted by elements covered under the above points, for the purposes of their operation, use, protection, and maintenance.
Security of network and information system; the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems.
Cyber-threat; any potential circumstance, event or action that could damage, disrupt, or otherwise adversely impact network and information systems, the users of such systems and other persons.