What cybersecurity legislation may be relevant to my business if I operate in the EU?
Depending on the sector you operate in and the services you provide, in particular the following cybersecurity acts may be relevant for you:
The NIS2 Directive (NIS2)
NIS2 will repeal the current NIS Directive, amending the rules on security of network and information systems. It has a broader concept of ‘essential’ and ‘important’ entities and has materially expanded the types of organisations that fall within these categories. See also question 2 below regarding this act.
The Directive on the Resilience of Critical Entities (CER)
CER sets out rules that aim to reduce vulnerabilities and strengthen the physical resilience of critical entities. See also question 2 below regarding this act.
The Digital Operational Resilience Act (DORA)
DORA imposes requirements for the security of network and information systems supporting the business processes of financial entities in both digital and physical dimensions.
You can find an overview of these acts in our newsletter.
In addition, there is a Tsunami of further cyber-focused regulations that may be relevant to your business. Examples include the EU Cybersecurity Act, the proposal for an EU Cyber Resilience Act and the proposal for a Cyber Solidarity Act as well as UN R155 and UN R156. To keep up to date with the latest developments in cybersecurity, please subscribe to our Bird & Bird Connected Newsletter.
Do you have questions about these acts, how they interact and how they will affect your business? Please reach out to your local country contact who will be happy to help you assess the impact of the new legislation on your business and prepare for compliance.
Is my business in scope of the EU cyber security regulations?
With the NIS2 and CER Directives, critical sectors like energy, transport, banking, financial markets, health, drinking water, wastewater and digital infrastructures (e.g., cloud computing service providers, data centre service providers, providers of public electronic communications networks, providers of publicly available electronic communications services) need to comply with cybersecurity requirements.
The NIS2 Directive is one of the most important pieces of cybersecurity legislation. By October 2024, the new rules need to be implemented by Member States that can extend the scope and obligations for businesses.
To check whether your business is likely to be in scope of the new rules, you can access our online tool by contacting Tomasz Zalewski.
What are the obligations for business?
The new rules contain inter alia specific cybersecurity risk management requirements, including:
risk analysis and information system security policies
business continuity, such as backup management and disaster recovery, and crisis management
supply chain security including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
security in network and information systems acquisition, development and maintenance
policies and procedures to assess the effectiveness of cybersecurity risk management measures
stronger reporting obligations
In order to identify what needs to be done in terms of compliance, Bird & Bird can assist you with a product and services assessment.
How about management responsibility?
The new rules involve personal liability of the business management and in-company training. Bird & Bird offers a management training on cybersecurity requirements and compliance in cooperation with local IT security firms. To find out more, please reach out to your local country contact.
My business operates in more than one Member State in the EU. What should I do?
Each Member State may extend the scope of the new cybersecurity rules and obligations. At Bird & Bird we monitor the developments for all EU Member States and identify national add-ons. See our free NIS2 and CER trackers and find out more about our fixed price NIS2 monitoring service solution[MS2] .
How do I keep track of the relevant developments for my business?
For international businesses that operate in more than one member state, tracking the relevant developments can be a challenge. To help you, we have developed tracker products that provide insights into new national legislation, further analysis and a tailored impact assessment for a fixed price per country.
I want to ensure that my business is compliant with the cybersecurity standards and regulations. What do I need to do?
First, you need to draft a products and services impact assessment.
Second, evaluate your business and incident response and reporting processes.
Third, arrange training of management and personal involved.
Bird & Bird’s cybersecurity team is ready to provide assistance in accordance with your needs.
What should I do now to properly respond to the cybersecurity regulatory tsunami?
You should assess in particular the following:
Whether your organisation falls/might fall within the scope of the new cybersecurity legislation
What new requirements would need to be implemented by your organisation if you directly fall within the scope of the new legislation
If your organisation is not directly covered by the legislative act(s), whether you deal with suppliers or customers subject to the new rules
What obligations your organisation needs to attribute to your suppliers in your contractual arrangements to facilitate a seamless, cybersecurity compliant supply chain and to be in conformity with other requirements foreseen by the applicable legislative act
Prepare/update processes for incident and threat reporting
Whether the Member State(s) in which you operate will mandate the use of certified products, services or processes
Whether the Commission’s implementing acts will result in the harmonisation of additional cybersecurity requirements across the EU
Whether there are any related or additional local IT security requirements, which still or would potentially need to be implemented due to any national legislation, and to steer for a coordinated approach in terms of implementation
With respect to the local implementation of the NIS2 and the CER Directive, considering the minimum harmonisation approach of both legislative acts, whether EU Member States (intend to) adopt stricter measures.