• By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive.

    

  They shall apply those measures from 18 October 2024.
• According to Article 21 (Cybersecurity risk-management measures), essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.
• When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.
• s not established in the EU, but offers services within the EU, it shall designate a representative in the EU. The representative shall be established in one of those Member States where the services are offered. Such an entity shall be considered to fall under the jurisdiction of the Member State where the representative is established
• Therefore, the cybersecurity risk-management measures taken by the entity should protect not only the entity’s network and information systems, but also the physical environment of those systems from any event such as sabotage, theft, fire, flood, telecommunication or power failures, or unauthorised physical access
• Now any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the whole internal market.

• t sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.

    

   The directive will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.
• sion proposal expands the scope of the current NIS Directive by adding new sectors based on their how crucial they are for the economy and society, and by introducing a clear size cap — meaning that all medium and large companies in selected sectors will be included in the scope
• The proposal also eliminates the distinction between operators of essential services and digital service providers. Entities would be classified based on their importance, and divided into essential and important categories, which will be subjected to different supervisory regimes.
• The proposal strengthens and streamlines security and reporting requirements for companies by imposing a risk management approach, which provides a minimum list of basic security elements that have to be applied.
• proposes to address security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in supply chains and supplier relationships. At European level, the proposal strengthens supply chain cybersecurity for key information and communication technologies. Member States in cooperation with the Commission and ENISA, may carry out coordinated risk assessments of critical supply chains

9 more annotations...