Exclusive expert tips, customer stories and more.
This is what the EU directives NIS2 and RCE/CER will bring to the table:
This blog post is about the EU Security and Resilience Directives NIS2 and RCE/CER.
These international EU regulations are aimed at Critical Infrastructures and other essential and important companies and institutions in the EU.
This blog post was initially written for a German audience, with some helpful references to the current German CRITIS regulation, but has been updated with information and links to the current international EU regulatory framework.
You will get a rough overview of the content of the two EU Directives adopted in December 2022:
(*) CER often used in German-speaking countries
Increased awareness of security and resilience due to geopolitical changes
At least since the change in the geopolitical security situation, the protection of Critical Infrastructures (CIP) and other system-critical enterprises has received increased attention in the European Union: from CIP operators in the EU, from the EU population, but also from political actors in the EU and the individual EU countries.
The regulation of CRITIS and other essential/important/critical entities will therefore evolve and become more stringent in the EU over the next few years. More obligations, more technical and organisational requirements, more impact (lower thresholds or other classification or impact criteria such as number of employees and turnover) and, for the first time, mandatory protection standards for physical security and resilience in addition to cybersecurity regulations will be imposed on affected EU companies.
In many cases, these regulations also apply to manufacturers and upstream suppliers, in terms of trustworthiness and security in the supply chain.
21 (d) “Supply chain security including safety-related aspects of the relationship between the individual institutions and their direct providers or service providers.”
Our interpretation of Article 21 (d): Security in the supply chain
Thinking cybersecurity, resilience and physical security together and across the board
The aim of the new EU directives NIS2 and RCE/CER is not only cyber security, but – as required by RCE in particular – resilience and holistic security, including physical security, of critical infrastructure and other essential, important and system-relevant companies.
The three dimensions of CRITIS resilience
With reference to these EU legal requirements, we believe that the following three dimensions of resilience need to be considered in order to achieve holistic CRITIS resilience:
Legal regulatory framework TODAY
In Germany, as an example of national implementation of EU law, the IT Security Act 2.0 and the BSIG currently regulate the cybersecurity of classic CRITIS sectors.
The IT Security Act 2.0 and the BSIG currently regulate the cybersecurity of classic CRITIS sectors. All CRITIS cybersecurity regulations are concerned with ensuring that appropriate organisational and technical precautions are taken to prevent disruptions to the availability, integrity, authenticity and confidentiality of information technology systems, components or processes. An announced CRITIS umbrella law will not only regulate cybersecurity, but also general resilience and, in particular, the physical security of CRITIS sectors in Germany in the future (2023ff).
In the other EU countries, cybersecurity (and possibly already some aspects of resilience) are regulated by corresponding national laws transposing the European NIS Directive into national law.
In Austria, for example, the counterpart to the German IT Security Act / BSIG is called “NISG” in reference to the EU Directive.
TODAY’s task for security officers in CRITIS:
Legal regulatory framework TOMORROW (year 2023ff)
The Network and Information Security Directive (NIS2) introduces new rules to promote a high common level of cybersecurity in the EU – for companies and countries. The Directive also strengthens cyber security requirements for medium and large companies operating in key sectors and providing services.
The RCE Directive introduces new rules to strengthen the resilience and physical security of critical assets.
In addition to existing EU or national cyber regulation of classic core CRITIS sectors, the following new and enhanced requirements will be the focus of Europe-wide security regulation in the period 2023-2024.
1) Content expansion
2) Scope and affectedness
The following is a quick overview of the EU legal framework
The original wording of the EU directives
Complex EU regulation “cries out” for harmonisation
In the case of EU directives, in addition to the EU's original problem of “reconciling” the interests of 27 individual states, the detailed and hetrogenic EU bureaucracy and the “federal national freedom of implementation with various national opening clauses” become apparent with the justifiably audible opinion of the market:
“The whole regulation is very complex and confusing, it cries out for harmonisation.”
Our attempt to “demystify” and “harmonise” in simple terms:
Many questions of detail and implementation still open
The various definitions, classifications and demarcations on the “EU paper” will, in reality and in national implementation, lead to overlaps or multiple effects, or to difficulties of demarcation and questions about the precedence of individual provisions, and will still leave exciting questions of detail to be resolved by the respective national legislators or competent national authorities.
The CRITIS security officer’s task TOMORROW:
In the following, we would like to provide you with three pieces of information on our own behalf and for your CRITIS video project:
Info 1 / Top Tip: CRITIS Practical Guide to Video Technology
Info 2 / Tip 2:
Info 3 / Tip 3: External independent source of information