Blurred photo of man with outstretched hand holding padlock icon and EU flag circle of yellow stars

At the start of 2023, the European Union (EU) introduced two security-relevant EU Directives and one Regulation that have significant implications for the security of critical infrastructures in EU Member States. Doug Wiemer, Chief Technology Officer – Cyber, explains what they are and why they matter.

16 January 2023 marked a significant milestone in the security posture of EU Member States. On that date, two security-relevant EU Directives and one Regulation entered into force, each an indicator of the significance the EU is placing on improving its cybersecurity posture:

  • The Network and Information Systems 2 Directive (NIS2): Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the EU, amending Regulation (EU) 910/2014 and Directive (EU) 2018/1972; repealing Directive (EU) 2016/1148
  • The Critical Entities Resilience Directive (CER): Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities; repealing Directive 2008/114/EC
  • The Digital Operational Resilience Act (DORA): Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector; amending Regulations (EC) 1060/2009, (EU) 648/2012, (EU) 600/2014, (EU) 909/2014 and (EU) 2016/1011.

Collectively, these have the potential to form a cohesive approach to securing the critical infrastructures of EU Member States.

What is NIS2?

NIS2 is an EU-wide cyber legislation that replaces the previous NIS (Directive (EU) 2016/1148), clarifying the categories it relates to and expanding their scope, and enhancing the Directive.

NIS2 clarifies the categories it is applicable to by removing the distinction between ‘operators of essential services’ and ‘digital service providers’. Instead, the Directive applies to newly defined categories of ‘essential entities’ and ‘important entities’. Here, the difference is based on the sector and size of the operators.

NIS2 also expands the scope of entities falling into these categories by extending coverage of existing sectors and adding new sectors. New sectors include information and communications technologies (ICT) service management, public administration, wastewater treatment companies and space.

In addition, NIS2 imposes new security and incident reporting rules, establishes a stricter enforcement regime and increases the focus on supply chain security, particularly in the areas of ICT product security, secure development practices and potential application of cybersecurity certification schemes.

Member States have until 17 October 2024 to incorporate the Directive into their national laws.

What is CER?

CER is an EU-wide security-oriented legislation that replaces Directive 2008/114/EC. While NIS2 has a focus on cybersecurity, CER aims to create an overarching framework addressing the resilience of critical entities in respect of all hazards, whether natural or man-made, accidental or intentional.

Similar to NIS2, CER has substantively increased the scope of applicability. While the previous Directive was focused on the energy and transport sectors, CER is aligned with NIS2 and also encompasses banking and financial markets, health, drinking and wastewater, digital infrastructure, public administration and space. Interestingly, CER does not address the concept of ‘important’ services, like NIS2, instead treating all critical entities as providers of essential services.

Here again, Member States have until 17 October 2024 to transpose the Directive into their national laws.

What is DORA?

DORA regulates the protection, detection, containment and recovery of cybersecurity incidents affecting ICT across the operations of the EU financial sector.

The Regulation seeks to achieve a common level of digital operational resilience by establishing uniform requirements concerning the cybersecurity of ICT systems supporting financial entities. Unlike the NIS2 and CER Directives, DORA is a Regulation, so it is binding and directly applicable in all EU Member States.

What else do I need to know about NIS2, CER and DORA?

NIS2, CER and DORA each address different aspects of security; however, there are some common themes that stretch across each, including:

  • Placing an increased emphasis on the importance of identifying and managing risks, including those of a cross-sectoral and cross-border nature
  • The importance of coherency when applying NIS2, CER and DORA
  • Policy frameworks and strategies should lead to enhanced information sharing of threat intelligence and coordination, both between operating entities and with their competent authorities
  • Consider business continuity and mitigate risks resulting from the supply chain on the security posture of the entities
  • Develop materials and support the organisation of operational exercises to test the resilience of providers of essential services. In the context of NIS2 and DORA, this includes the use of threat-led penetration testing.

NIS2, SER and DORA guidance and support

NIS2, CER and DORA each pay substantial attention to the need for increased security resilience across the EU. As an experienced provider of cyber and physical security services, RHEA can provide relevant guidance and deliver solutions to entities across the breadth of these frameworks.

RHEA has extensive experience in the security of space systems and a trusted wealth of cyber and physical security knowledge and proficiency in the transportation, energy, drinking and wastewater, digital infrastructure and public administration sectors.

Contact us to find out how we can support you with security services and solutions.

View all news and cyber insights