EY Report: The future of cybersecurity in Europe. Challenges related to the NIS2 Directive.

It is our great pleasure to present the EY Report: The future of cybersecurity in Europe. Challenges related to the NIS2 Directive.

The NIS2 Directive will be one of the key pieces of cybersecurity legislation and, as such, it will impose new obligations on companies and individuals operating in certain critical sectors. Together, let us start a discussion on a wise and harmonized approach to the implementation of the NIS2 Directive in the individual Member States.

On 28 November 2022, the Council of the European Union adopted a new cybersecurity EU Directive 2022/2555 (NIS2 Directive). It is intended to replace and repeal the current EU Directive 2016/1148 on measures for a high common level of security of network and information systems across the European Union (NIS Directive).

Why does the European Union introduce NIS2 Directive? 

The NIS Directive was intended to regulate cybersecurity in the European Union in a comprehensive manner. However, the lack of consistent implementation of the NIS Directive in individual EU countries has led that this objective has not been achieved. Therefore, the European Union has decided to adopt the NIS2 Directive in response to increasing cyber threats related to digitization. The aim of new Directive is to achieve even higher levels of cybersecurity than in the NIS Directive. It is also designed to promote greater harmonization of cybersecurity rules across EU Member States.

The NIS2 Directive, like the NIS Directive, requires Member States to establish a national cybersecurity strategy, to designate competent national authorities or to respond to computer security incidents. However, compared with the first Directive, it introduces more stringent security and reporting requirements for entrepreneurs, as well as stricter supervision measures applied by national authorities.

EY Poland Digital Law Team and EY Poland Cybersecurity Team have prepared a report which discusses the impact and challenges related to the implementation of the NIS2 Directive for different business entities and for EU Member States, as well as the changes introduced in relation to the previous NIS Directive.

The EY Report emphasizes the need to harmonize regulations for cybersecurity in two dimensions – at EU level and in individual Member States. The differences in the regulatory approach to cybersecurity can have a direct impact not only on the cybersecurity, but also on the development of digitalization in different countries and on the competitiveness of national companies on the global markets.