Strengthening Cybersecurity Across the EU: The NIS2 Directive

107

The NIS2 Directive, an EU-wide cybersecurity legislation, introduces comprehensive legal measures to enhance cybersecurity within the European Union. Building upon the initial EU cybersecurity rules established in 2016, the NIS2 Directive, effective in 2023, updates and modernizes the existing legal framework to address the challenges posed by increased digitization and an evolving threat landscape. This directive expands the scope of cybersecurity rules to include new sectors and entities, thereby improving the resilience and incident response capabilities of both public and private entities, as well as the EU as a whole.

Key Measures of the NIS2 Directive

    • The directive mandates that Member States be appropriately equipped to handle cybersecurity incidents. This includes establishing a Computer Security Incident Response Team (CSIRT) and designating a competent national network and information systems (NIS) authority.Enhanced Cooperation Among Member States: To foster strategic cooperation and information exchange among Member States, the directive sets up a Cooperation Group. This group is designed to support and facilitate collaborative efforts in addressing cybersecurity threats.
    • Cultivating a Culture of Security:

      The directive emphasizes the importance of cybersecurity across sectors crucial to the economy and society, particularly those heavily reliant on information and communication technologies (ICTs). These sectors include energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure.

Penalties for Non-Compliance

According to RINA, the NIS2 Directive introduces specific sanctions for companies that fail to comply with its requirements. These sanctions include:

Non-Monetary Remedies: National supervisory authorities can impose compliance orders, binding instructions, mandates for security audits, and orders for companies to notify customers of threats.

Administrative Fines:

Essential companies face maximum fines of at least €10,000,000 or 2% of the total annual global turnover, whichever is higher. Important companies face maximum fines of at least €7,000,000 or 1.4% of the total annual global turnover.

Criminal Penalties for Management:

The directive introduces measures to hold corporate management personally accountable in cases of serious negligence following a security incident. This can include publicizing compliance breaches and, for essential entities, temporarily banning individuals from holding managerial positions in cases of repeated violations.

These measures aim to hold corporate management accountable and prevent serious negligence in managing cyber risks.

The Evolving Cybersecurity Threat Landscape

Cyber incidents remain the top global risk for the third consecutive year, with a significant margin (5 percentage points). It is the primary concern in 17 countries, including Australia, France, Germany, India, Japan, the UK, and the USA. The Allianz Risk Barometer identifies data breaches as the most concerning cyber threat (59%), followed by attacks on critical infrastructure and physical assets (53%).

Captain Nitin Chopra, Senior Marine Risk Consultant at Allianz Commercial, notes in the Safety and Shipping Review 2024 that the increasing use of information systems and data on vessels presents new cybersecurity challenges for the shipping industry as they digitize their operations.

Furthermore, DNV’s Maritime Cyber Priority 2023 report highlights the difficulties in achieving a more cyber-secure supply chain. It underscores the need for operators to thoroughly audit their vendors’ cybersecurity requirements during the procurement, installation, and operation of equipment, systems, and software.

 

Did you subscribe to our daily Newsletter?

It’s Free! Click here to Subscribe

Source: Safety4Sea