European obligation to report cyber incidents will be expanded to more sectors in 2024

From 2024, more European companies will be obliged to report serious cyber incidents and take appropriate security measures. These include companies in the food sector and postal companies.

The EU member states and the European Parliament reached an agreement on Wednesday on the revision of the EU Network and Information Security Directive (NIB2). The current directive mainly covers essential services, such as banks and energy suppliers. Providers of technical services, including cloud services and online marketplaces, also fall under the directive.

In two years’ time, the number of sectors covered by the directives will be expanded, reports the national government. The companies can then fall into two categories: essential providers and major providers.

Supervision is proactive at the essential providers. The essential providers include companies from the vital sector, such as drug manufacturers. Supervision at the major providers takes place afterwards, if there are indications that an incident has occurred. The major providers are mainly parties where a disruption of services does not have major social or economic consequences.

In addition to the reporting obligation, all providers that will fall under the revised directive must take appropriate security measures.

The directive is expected to be published this fall, following a vote in the European Parliament. It can then be transposed into national law, which should come into effect from mid-2024. EU ministers reached an agreement on the revised directive last December.