Cybersecurity of network and information systems

KEY POINTS

Cybersecurity refers to the activities necessary to protect network and information systems, the users of such systems and other people affected by cyber threats.

Critical sectors

The directive applies principally to medium-sized and large entities operating in the following sectors of high criticality, as defined in its Annex I:

• energy:
  • electricity, including production, distribution and transmission systems and recharging points,
  • district heating and cooling,
  • oil, including production, storage and transmission pipelines,
  • gas, including supply, distribution and transmission systems and storage, and
  • hydrogen;
• transport by air, rail, water and road;
• banking and financial market infrastructures, such as credit institutions, operators of trading venues and central counterparties;
• health, including healthcare providers, manufacturers of basic pharmaceutical products and critical medical devices, and EU reference laboratories;
• drinking water;
• waste water;
• digital infrastructure, including providers of data centre services, cloud computing services, public electronic communications networks and publicly available electronic communications services;
• ICT-managed services (business-to-business);
• space;
• public administration at the central and regional levels, excluding the judiciary, parliaments and central banks; the directive does not apply to public administration entities that carry out activities in the areas of national security, public security, defence or law enforcement.

It also applies to other critical sectors, as defined in Annex II:

• postal and courier services;
• waste management;
• chemical manufacturing, production and distribution;
• food production, processing and distribution;
• manufacturing, specifically of medical devices, computer, electronic and optical products, certain types of electrical equipment and machinery, motor vehicles and other transport equipment;
• digital providers of online marketplaces, search engines and social networks; and
• research organisations.

National cybersecurity strategy

Every Member State must adopt a national strategy to achieve and maintain a high level of cybersecurity in the critical sectors, including:

• a governance framework clarifying the roles and responsibilities of relevant stakeholders at the national level;
• policies addressing the security of supply chains;
• policies on managing vulnerabilities;
• policies on promoting and developing education and training on cybersecurity; and
• measures to improve cybersecurity awareness among citizens.

Member States must establish a list of essential and important entities, along with entities providing domain name registration services, by 17 April 2025. They must review and, where appropriate, update that list regularly, and at least every two years thereafter. The European Commission has adopted guidelines concerning the information that needs to be collected when drawing up these lists, along with a template for doing so.

The Commission has also issued guidelines clarifying the rules on the relationship between Directive (EU) 2022/2555 and current and future sector-specific EU legal acts addressing cybersecurity risk-management measures or incident reporting requirements. The appendix to the guidelines provides a non-exhaustive list of the sector-specific legal acts that the Commission considers as falling within the scope of Article 4 of Directive (EU) 2022/2555.

Computer security incident response teams

Computer security incident response teams (CSIRTs) provide technical assistance to entities, including:

• monitoring and analysing cyber threats, vulnerabilities and incidents at the national level;
• providing early warnings, alerts, announcements and information to the entities concerned and to other stakeholders on cyber threats, vulnerabilities and incidents, if possible in near real time;
• responding to incidents and providing assistance where applicable;
• collecting and analysing forensic data and providing dynamic risk and incident analysis and situational awareness on cybersecurity; and
• providing, on request, proactive network and information system scanning to detect vulnerabilities with a potentially significant impact.

CSIRTs network

The directive sets up a network of national CSIRTs to promote swift and effective operational cooperation.

Coordinated vulnerability disclosure

Member States must:

• designate one of their CSIRTs to coordinate the disclosure of vulnerabilities discovered in ICT products or services; and
• ensure that people in the Member States are able to report vulnerabilities, anonymously if requested.

The European Union Agency for Cybersecurity (ENISA) will develop and maintain a vulnerability database.

Cooperation group

The directive sets up a cooperation group to support and facilitate strategic cooperation and information exchange. It is composed of representatives of Member States, the Commission and ENISA. Where appropriate, the cooperation group may invite the European Parliament and representatives of relevant stakeholders to participate in its work.

European Cyber Crises Liaison Organisation Network

The European Cyber Crises Liaison Organisation Network (EU-CyCLONe) comprises representatives of Member States’ cyber crisis management authorities, along with the Commission in cases where a potential or ongoing large-scale cybersecurity incident has or is likely to have a significant impact on the sectors covered by the directive. In other cases, the Commission will participate in the activities of the network as an observer.

The network supports the coordinated management of large-scale cybersecurity incidents and crises at the operational level and ensures the regular exchange of information among Member States and EU institutions, bodies, offices and agencies.

The network is tasked, among other things, with:

• coordinating the management of large-scale cybersecurity incidents and crises and supporting decision-making at the political level;
• increasing preparedness;
• developing a shared situational awareness; and
• assessing the consequences and impact of large-scale cybersecurity incidents and crises and proposing possible mitigation measures.

Cybersecurity risk-management measures

Entities must take appropriate and proportionate technical, operational and organisational cybersecurity risk-management measures. The catalogue of measures includes, among other things, risk analysis and information system security policies, incident handling, business continuity, disaster recovery and crisis management, supply chain security, vulnerability handling and disclosure, basic hygiene practices, policies and procedures regarding the use of cryptography (and encryption, where appropriate), human resource security and the use of multi-factor authentication or continuous authentication solutions. These measures have to be based on an all-hazards approach.

Management bodies must approve these measures and oversee their implementation and can be held liable for infringements.

Reporting

Entities must notify their CSIRT or relevant authority of any incident that:

• has cause or is capable of causing severe operational disruption or financial loss for the entity;
• has affected or could affect others by causing considerable material or non-material damage.

Furthermore, ENISA will produce, together with the Commission and the cooperation group, a biennial report on the state of cybersecurity in the EU, which will also be submitted to the Parliament.

Supervision and enforcement

The directive provides for remedies and sanctions to ensure enforcement.

Peer reviews

Peer reviews are set up with a view to learning from shared experiences, strengthening mutual trust, achieving a high common level of cybersecurity and enhancing Member States’ cybersecurity capabilities and policies necessary for implementing this directive. These reviews entail on-site or virtual visits and off-site exchanges of information. Participation in these peer reviews is voluntary.

Implementing act

Implementing Regulation (EU) 2024/2690 lays down rules for applying Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specifies the cases in which an incident is considered to be significant with regard to:

• domain name system service providers,
• top-level domain name registries,
• cloud computing service providers,
• data centre service providers,
• content delivery network providers,
• managed service providers,
• managed security service providers,
• providers of online marketplaces, of online search engines and of social networking services platforms, and
• trust service providers.

Repeal

Directive (EU) 2022/2555 repealed Directive (EU) 2016/1148 (see summary) from 18 October 2024, and Implementing Regulation (EU) 2024/2690 repealed Implementing Regulation (EU) 2018/151, which laid down rules for applying Directive (EU) 2016/1148.