NIS 2 Directive: New EU Rules on Cybersecurity (cepAdhoc)


Hybrid warfare, hacker attacks, cyber-attacks: Parliament and Council have agreed on new cyber security regulations in Brussels. According to the so-called NIS 2 Directive, around 160,000 European companies and public authorities will in future be subject to uniform EU requirements for managing cyber risks and reporting cyber incidents. The Centrum für Europäische Politik (cep) considers some regulations too broad and calls for a more efficient focus.


"The new regulations also cover companies that are not systemically important, i.e. companies that offer products and services that are not absolutely central to the functioning of society. It is to be feared that the competent authorities will be overburdened in practice with the supervision of about 160,000 entities," warns cep cyber expert Philipp Eckhardt. "Even if the Directive creates more legal certainty and prevents distortions of competition: less would have been more, a stronger prioritisation would therefore have been appropriate," says the scientist from Freiburg.

The fact that risks in the supply chain will have to be taken into account to a greater extent in the future increases the level of cyber security in the EU, according to Eckhardt. However, the responsibility should not lie solely on the shoulders of the institutions covered by the regulation. Eckhardt further welcomes the fact that in future a large number of companies will have to report incidents according to an orderly procedure. Such reports have not always been made in the past, for fear of damaging the image of many affected companies. "Voluntary reporting has often not worked satisfactorily. The reporting obligation is also to be welcomed because it helps other companies to recognise and close security gaps," Eckhardt emphasises.