INFORMATION TECHNOLOGY
EU: CER and NIS 2 Directives enter into force.
The European Commission announced, on 16 January 2023, the entry into force of Directive (EU) 2022/2557 on the resilience of critical entities and repealing Council Directive 2008/114/EC ('CER Directive') and Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 ('NIS 2 Directive'), on 5 January and 16 January 2023, respectively.
In particular, the Commission explained that the CER Directive replaces Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, and strengthens the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. More specifically, the CER Directive applies to 11 sectors, including energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food, and requires Member States to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy.
In regard to the NIS 2 Directive, the Commission stressed that the same ensures a safer and stronger Europe by significantly expanding the sectors and type of critical entities falling under its scope. At the same time, the Commission updated its NIS 2 Directive Questions and Answers ('Q&A') and factsheet pages.
Importantly, the Commission specified that Member States have 21 months to transpose the CER Directive and the NIS 2 Directive into national law.
Separately, the Commission highlighted that, in December 2022, the Council of the EU adopted the Recommendation on a coordinated approach by the Union to strengthen the resilience of critical infrastructure, following the proposal by the Commission in October 2022.
In particular, the Commission explained that the CER Directive replaces Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, and strengthens the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. More specifically, the CER Directive applies to 11 sectors, including energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food, and requires Member States to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy.
In regard to the NIS 2 Directive, the Commission stressed that the same ensures a safer and stronger Europe by significantly expanding the sectors and type of critical entities falling under its scope. At the same time, the Commission updated its NIS 2 Directive Questions and Answers ('Q&A') and factsheet pages.
Importantly, the Commission specified that Member States have 21 months to transpose the CER Directive and the NIS 2 Directive into national law.
Separately, the Commission highlighted that, in December 2022, the Council of the EU adopted the Recommendation on a coordinated approach by the Union to strengthen the resilience of critical infrastructure, following the proposal by the Commission in October 2022.
