On December 16, the European Union released two proposals, one on NIS 2 and the other on cyber resilience of critical entities (read “infrastructures”). We have provided a short summary of what to expect:
Significant extension of the entities in scope of the new NIS directive – more sectors covered and no need for Member States’ designation of targeted entities. New terminology; essential versus important entities. Similar trend under the Critical Infrastructure directive.
New requirements for supply chain management, new incident preparation and reporting requirements (24 hours timeframe to report to authorities and news communication requirements to affected users of the services).
Extraterritorial reach and higher fines for non-compliance across the EU Member States (10 mio or 2% of worldwide turnover).
New framework for threat information sharing (including new governance principles).
Support the originator by clicking the read the rest link below.