EU Finalizes Tighter Cybersecurity Law

EU governments approved stronger cybersecurity rules Monday. Once the revised network and information security directive (NIS2) takes effect, EU members will have 21 months to enact it into national law, the European Council said. NIS2 will "set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure." It will apply to providers of public electronic communications services, digital services and domain name system services (see 2103220038). It will harmonize cybersecurity requirements and the way they're implemented in different countries. Under the original directive, it was up to governments to determine which entities met the criteria to qualify as essential services subject to the rules, but NIS2 introduces a size-cap rule. It also adds additional provisions "to ensure proportionality, a higher level of risk management and clear-cut criticality criteria" to allow national authorities to determine if other entities should be covered. NIS2 won backing from the European Parliament Nov. 10.