From 2024, more European companies will be required to report serious cyber incidents and take appropriate security measures. These include companies in the food sector and postal companies.
The EU member states and the European Parliament reached an agreement on Wednesday on the revision of the EU Network and Information Security Directive (NIB2). The current directive mainly covers essential services, such as banks and energy suppliers. Providers of technical services, including cloud services and online marketplaces, also fall under the directive.
In two years’ time, the number of sectors covered by the directives will be expanded, reports the national government† The companies can then fall into two categories: essential providers and major providers.
Supervision is proactive at the essential providers. The essential providers include companies from the vital sector, such as drug manufacturers. The major providers are monitored afterwards if there are indications that an incident has taken place. The important providers are mainly parties where a disruption of services has no major social or economic consequences.
In addition to the notification obligation, all providers that will fall under the revised directive must take appropriate security measures.
The directive is expected to be published this autumn, following a vote in the European Parliament. It can then be transposed into national law, which should come into effect from mid-2024. EU ministers reached an agreement on the revised directive last December.