NIS2 and CER

Dou­ble strike to ward off hybrid threats

In recent years, the­re were num­e­rous cases in which cri­ti­cal infra­struc­tu­re in Euro­pe came under attack. Not least the attack on the Nord­stream 2 Bal­tic Sea pipe­line made head­lines. The Euro­pean Uni­on (EU) respon­ded, among other things, with two legal acts to streng­then the defen­ces of cri­ti­cal infra­struc­tu­re and pro­tect the EU from hybrid attacks.

Pro­tec­tion against hybrid threats

The Cri­ti­cal Enti­ties Resi­li­ence Direc­ti­ve (CER Direc­ti­ve) and the recast of the Direc­ti­ve con­cer­ning mea­su­res for a high com­mon level of secu­ri­ty of net­work and infor­ma­ti­on sys­tems across the Uni­on (her­ein­af­ter: NIS 2 Direc­ti­ve) form a sin­gle enti­ty. The NIS 2 Direc­ti­ve obli­ges important and essen­ti­al enti­ties to take mea­su­res to mini­mi­se cyber­se­cu­ri­ty risks. As the best pro­tec­tion against cyber­th­re­ats can be use­l­ess against phy­si­cal sabo­ta­ge, the CER Direc­ti­ve tar­gets clas­sic thre­ats to cri­ti­cal infra­struc­tu­re. Tog­e­ther, the Direc­ti­ves aim to pro­vi­de com­pre­hen­si­ve pro­tec­tion for cri­ti­cal infra­struc­tu­re by requi­ring it to be resi­li­ent. The con­cept of resi­li­ence is defi­ned in Art. 2 No. 2 of the CER Direc­ti­ve in par­ti­cu­lar as a cri­ti­cal entity’s abili­ty to pre­vent, pro­tect against, respond to and resist an incident.

Scope of application

The sco­pes of appli­ca­ti­on of the CER and NIS 2 Direc­ti­ves are simi­lar. Both Direc­ti­ves con­tain anne­xes lis­ting regu­la­ted sec­tors. The Annex to the CER Direc­ti­ve lar­ge­ly cor­re­sponds to Annex 1 of the NIS 2 Direc­ti­ve. Howe­ver, the scope of the CER Direc­ti­ve is nar­rower, as it only addres­ses cri­ti­cal enti­ties. In order to be con­side­red a cri­ti­cal enti­ty, the enti­ty must be cate­go­ri­sed accor­din­gly by a Mem­ber Sta­te accor­ding to Art. 2 No. 1 of the CER Direc­ti­ve. The CER Direc­ti­ve also spe­ci­fies cri­te­ria for cate­go­ri­sa­ti­on, pur­su­ant to which the Mem­ber Sta­tes, for exam­p­le, are requi­red by Art. 6 (2) © to take into account whe­ther an inci­dent at the enti­ty would have signi­fi­cant dis­rup­ti­ve effects. In the con­text of the NIS 2 Direc­ti­ve, howe­ver, it is not a ques­ti­on of whe­ther the acti­vi­ty in one of the regu­la­ted sec­tors is important enough to be capa­ble of lea­ding to signi­fi­cant dis­rup­ti­ve effects.

Same Same But Different

Alt­hough the Direc­ti­ves have dif­fe­rent objec­ti­ves, the requi­re­ments defi­ned by them are simi­lar: Accor­ding to Art. 12 (1) of the CER Direc­ti­ve, Mem­ber Sta­tes must requi­re cri­ti­cal enti­ties to car­ry out regu­lar risk assess­ments. In addi­ti­on, accor­ding to Art. 13 (1) of the CER Direc­ti­ve, cri­ti­cal enti­ties must take appro­pria­te and pro­por­tio­na­te tech­ni­cal, secu­ri­ty and orga­ni­sa­tio­nal mea­su­res to ensu­re their resi­li­ence, inclu­ding mea­su­res that take the enti­re sup­p­ly chain into account. Even the con­cepts them­sel­ves are simi­lar to the NIS 2 Direc­ti­ve. Art. 21 of the lat­ter also makes appro­pria­te and pro­por­tio­na­te tech­ni­cal, ope­ra­tio­nal and orga­ni­sa­tio­nal mea­su­res to mana­ge the risks posed to the secu­ri­ty of net­work and infor­ma­ti­on sys­tems man­da­to­ry. The tri­ad of risk assess­ment, risk manage­ment mea­su­res (or mea­su­res to streng­then resi­li­ence) and report­ing obli­ga­ti­ons in the event of secu­ri­ty inci­dents are com­mon to both legal acts – a fact that com­pa­nies should take into account in their inter­nal processes.

Con­clu­si­on

Octo­ber is the dead­line for Mem­ber Sta­tes to imple­ment the CER and NIS 2 Direc­ti­ves. This means that com­pa­nies must be pre­pared to imple­ment the neces­sa­ry mea­su­res. The fact that both Direc­ti­ves impo­se on enti­ties expli­cit obli­ga­ti­ons rela­ting to the sup­p­ly chain requi­res a rethink. If they have not done so yet, com­pa­nies should check whe­ther they are sub­ject to the new requi­re­ments. If in doubt, the neces­sa­ry mea­su­res should be imple­men­ted, becau­se even if the­re is no legal obli­ga­ti­on: Com­pa­nies should also have a (com­mer­cial) inte­rest of their own in defen­ding against hybrid threats.

back

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.