DP News – Week 46. NIS2 Directive is approved, EDPB revised recommendations of BCR.

On 10 November, European Parliament approved the so-called NIS2 Directive (Network and Information Security Directive), “to meet stricter supervisory and enforcement measures and harmonise [EU contries’] sanctions”.

The ‘first’ NIS Directive (EU 2016/1148) was adopted in 2016 and required its implementation through EU Member States’ national legislation. The national transposition by EU Member States took place on 9 May 2018. That was supported, in particular, by the EU Agency for Cybersecurity (ENISA) through the development of different thresholds, templates and tools, agreement of common approaches and procedures, etc.

However, as the Parliament explained earlier in June, the NIS DIrective’s “implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU”.

Apart from that, the idea behind the NIS2 Directive is that more companies and sectors will be bound by its scope: “The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation”, the Parliament explains. As a next step, prior to publishing in the EU’s Official Journal, the EU Council has to formally adopt the law.

Moving forward to the news from the European Data Protection Board (EDPB), on 14 November 2022, the German BfDI (Federal Commissioner for Data Protection and Freedom of Information) reported that the EDPB revised its recommendations on Binding Corporate Rules. The text of the revised recommendations has been published today, 17 November 2022, and is available at the EDPB’s official website for public consultations. Comments can be sent until 10 January 2023 at the latest.