Cybersecurity risk management regulation applied to EU CNI providers
The EU has passed regulations to strengthen the resilience of EU Member States’ Critical National Infrastructure (CNI). These regulations implement an integrated harmonized regime for cybersecurity risk management, regulation that includes the Digital Operational Resilience Act (DORA 2022/2554) for the financial sector, The Network Infrastructure Security Directive 2.0 (EU NIS 2.0 2022/2055 -‘The Directive’) for CNI, The Resilience of Critical Entities Directive (EU 2022/2557) for CNI and the proposed Cyber Resilience Act 2022/0272 (COD) for the security of hardware products and services.
On the 17th January 2023 EU NIS 2 was added to the EU Journal addressing gaps in the cybersecurity risk management of EU Critical National Infrastructure providers. Giving EU Member states 21 months to transpose the Directive in Nation State laws. EU NIS 2 applies to critical national infrastructure providers that are deemed ‘sectors of high criticality ’, that includes energy (electricity, district heating and cooling, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. The second group consists of ‘other critical sectors – Directive Annex II’, that includes postal and courier services, waste management, manufacturing, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers, and research organizations.
In this paper we review EU NIS 2, its scope of application, the implementation requirements of Member States, the impact of the regulation on Member State CNI providers and their reporting obligations, regulatory enforcement and penalties for non compliance.