Navigating the new EU cybersecurity standards: The NIS2 Directive and Cyber Resilience Act

As part of its overarching Cybersecurity Strategy, the EU has rolled out two significant frameworks to promote and strengthen cybersecurity standards within the EU marketplace: the Network and Information Security Directive II and the Cyber Resilience Act.

According to the European Commission, the CRA is intended to complement the NIS2 cybersecurity framework and is part of a broader "series of comprehensive measures" being deployed in the EU to enhance cybersecurity standards.

The NIS2 Directive

As of 17 Oct. 2024, EU countries are required to transpose new rules established under the NIS2 Directive. For context, the NIS2 Directive revises and replaces the Network and Information Security Directive, which was adopted in 2016. The original NIS Directive created a set of common security and reporting obligations for operators of essential services and digital service providers in sectors such as banking, finance and digital platforms.

The newly established NIS2 Directive applies to a broader range of organizations operating in the EU marketplace, including essential and important organizations providing specific services within the EU marketplace. Organizations impacted by the directive include those deemed to be critical to the EU economy and active in such areas as digital services — including cloud services and data center providers — airlines, banks and medical device manufacturers.

Organizations that fall under its jurisdiction are required to implement an array of cybersecurity risk management measures, including the adoption of various policies — for example, incident response protocol, risk analysis and information system security procedures — routine cybersecurity training, implementation of a backup management and disaster recovery process, and the deployment of encryption and multifactor authentication, when appropriate and necessary.

In addition, covered organizations are required to notify their designated cybersecurity incident response teams of significant cybersecurity incidents within 24 hours of becoming aware of them.