Cybersecurity Act (Regulation (EU) 2019/881) – Implementing Regulation for ICT certification
DATE OF UPDATE: 19 December 2024
CURRENT STATUS
A new Commission Implementing Regulation was published in the Official Journal establishing the circumstances, formats and procedures for notifications of conformity assessment bodies by national cybersecurity certification authorities pursuant to Article 61(1) of the Cybersecurity Act.
Cyber Solidarity Act and targeted amendment to the Cybersecurity Act
CURRENT STATUS
The European Council adopted two new laws that form part of the cyber security legislative ‘package’: the Cyber Solidarity Act, and a targeted amendment to the Cybersecurity Act (to enable the future adoption of European certification schemes for managed security services).
WHY IS THIS APPLICABLE TO CLIENTS?
The amendment to the Cybersecurity Act will be of interest to managed security services and organisations that use these services. The amendment will enable the establishment of European certification schemes for these managed security services.
Cyber – Directive (EU) 2022/2555 (“NIS 2”)
CURRENT STATUS
Member States were required to transpose the NIS2 Directive into national law by 17 October 2024. The European Commission opened infringement procedures against 23 Member States (to include Ireland) for failing to fully transpose NIS2 within that timeframe. The offending Member States have been afforded two months to complete their transposition and notify their measures to the Commission. In the absence of a satisfactory response, the Commission may decide to issue a reasoned opinion.
WHY IS THIS APPLICABLE TO CLIENTS?
NIS2 applies to a number of sectors to include digital infrastructure (including providers of cloud computing services) and digital providers such as online marketplaces, online search engines and social networking services platforms.
Physical Resilience of Critical Entities
CURRENT STATUS
The European Union (Resilience of Critical Entities) Regulations 2024 (“Regulations”) give full effect to the State’s obligations on the resilience of critical entities under Directive (EU) 2022/2557 (“CER Directive”) and further effect to the State’s obligations under Commission Delegated Regulation (EU) 2023/2450 of 25 July 2023.
WHY IS THIS APPLICABLE TO CLIENTS?
While critical entities have not yet been identified, a wide range of sectors are within scope of the Regulations.
NEXT STEPS
Critical entities, once identified, will carry out risk assessments and take technical, security and organisational measures to enhance their resilience.
NIS 2 – Implementing Regulation
DATE OF UPDATE: 17 October 2024
CURRENT STATUS
The Commission adopted the first implementing rules on the NIS 2 Directive. The implementing regulation details cybersecurity risk management measures as well as the cases in which an incident should be considered significant.
WHY IS THIS APPLICABLE TO CLIENTS?
The implementing regulation will apply to specific categories of companies providing digital services, such as cloud computing service providers, data centre service providers, online marketplaces, online search engines and social networking platforms.
Find out more: