The NIS2 (Network and Information Security) directive has been adopted by the EU Parliament and Council and will be enacted in January 2023, from this date member states have 21 months incorporate the provisions into their national law.

The goal of the new directive, which replaces NIS, is to bolster cybersecurity risk management measures and reporting obligations for all sectors covered by the directive, such as energy, transport, health and digital infrastructure. The NIS2 directive establishes minimum rules and mechanisms for cooperation among relevant authorities in each member state.

Along with NIS2, comes the CyCLONe, the EU Cyber Crises Liaison Organisation Network, a new entity in charge of providing rapid cyber crisis management for cybersecurity incidents and crises. The directive specifies the operators of essential services in energy, transport, finance, digital infrastructures (including public communications networks or services, social networking services platforms and data center services), administrations, manufacturing of certain critical products (such as pharmaceuticals, medical devices, or chemicals), food, postal and courier services and space, in order to reinforce their cybersecurity. In addition, the directive has been aligned with sector-specific legislation, in particular the regulation on Digital Operational Resilience Act for the financial sector (DORA). The directive also imposes a notification within 24 hours of becoming aware of certain incidents or cyber threats. Finally, the NIS2 directive includes provisions for fines and penalties up to EUR 10 million or 2% of total worldwide turnover.

While NIS2 is on its way to enforcement, the European Union Alphabet soup is not yet complete. DMA, the Digital Market Act, and DSA, the Digital Services Act, which aim at giving European authorities regulatory powers over the large digital platforms and social networks such as the GAFAM (Google Amazon Facebook Apple Microsoft), are on their way to adoption and to enforcement. The European institutions works are moving forward on the digital identity (eID) framework, which will provide secure and trustworthy electronic identification by means of a personal digital wallet on a mobile phone (European digital identity wallet) to be recognized by the EU public sector and by private service providers. The EU is also elaborating the CRA (Cyber Resilience Act) that will bring provisions for security in the IoT environment. The Data Act (DA) and the Data Governance Act (DGA) aim at reinforcing European digital sovereignty and guarantee a better value from utilization of personal data for European stakeholders. Finally, the EU-US Data Privacy Framework, which will foster trans-Atlantic data flows, is under negotiation with US authorities.

All these regulations, even if they appear remote from our daily concerns, thoroughly impact both our personal and professional lives. They bring regulation to the existing markets of the secure transactions industry and open new business opportunities. We will be ready to tackle these opportunities in 2023 and the coming years.

In the meantime, Smart Insights wishes you a very Happy New Year!