Double strike to ward off hybrid threats
In recent years, there were numerous cases in which critical infrastructure in Europe came under attack. Not least the attack on the Nordstream 2 Baltic Sea pipeline made headlines. The European Union (EU) responded, among other things, with two legal acts to strengthen the defences of critical infrastructure and protect the EU from hybrid attacks.
Protection against hybrid threats
The Critical Entities Resilience Directive (CER Directive) and the recast of the Directive concerning measures for a high common level of security of network and information systems across the Union (hereinafter: NIS 2 Directive) form a single entity. The NIS 2 Directive obliges important and essential entities to take measures to minimise cybersecurity risks. As the best protection against cyberthreats can be useless against physical sabotage, the CER Directive targets classic threats to critical infrastructure. Together, the Directives aim to provide comprehensive protection for critical infrastructure by requiring it to be resilient. The concept of resilience is defined in Art. 2 No. 2 of the CER Directive in particular as a critical entity’s ability to prevent, protect against, respond to and resist an incident.
Scope of application
The scopes of application of the CER and NIS 2 Directives are similar. Both Directives contain annexes listing regulated sectors. The Annex to the CER Directive largely corresponds to Annex 1 of the NIS 2 Directive. However, the scope of the CER Directive is narrower, as it only addresses critical entities. In order to be considered a critical entity, the entity must be categorised accordingly by a Member State according to Art. 2 No. 1 of the CER Directive. The CER Directive also specifies criteria for categorisation, pursuant to which the Member States, for example, are required by Art. 6 (2) © to take into account whether an incident at the entity would have significant disruptive effects. In the context of the NIS 2 Directive, however, it is not a question of whether the activity in one of the regulated sectors is important enough to be capable of leading to significant disruptive effects.
Same Same But Different
Although the Directives have different objectives, the requirements defined by them are similar: According to Art. 12 (1) of the CER Directive, Member States must require critical entities to carry out regular risk assessments. In addition, according to Art. 13 (1) of the CER Directive, critical entities must take appropriate and proportionate technical, security and organisational measures to ensure their resilience, including measures that take the entire supply chain into account. Even the concepts themselves are similar to the NIS 2 Directive. Art. 21 of the latter also makes appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems mandatory. The triad of risk assessment, risk management measures (or measures to strengthen resilience) and reporting obligations in the event of security incidents are common to both legal acts – a fact that companies should take into account in their internal processes.
Conclusion
October is the deadline for Member States to implement the CER and NIS 2 Directives. This means that companies must be prepared to implement the necessary measures. The fact that both Directives impose on entities explicit obligations relating to the supply chain requires a rethink. If they have not done so yet, companies should check whether they are subject to the new requirements. If in doubt, the necessary measures should be implemented, because even if there is no legal obligation: Companies should also have a (commercial) interest of their own in defending against hybrid threats.
back