At the end of 2020, the European Commission introduced a new EU Cybersecurity Strategy. This strategy was designed to build upon the previous NIS (Network and Information Systems) Directive, which is perhaps the most comprehensive cybersecurity directive in the world. Not only was it responsible for creating the foundation for notification and security requirements for digital service providers, it has also helped build cybersecurity capabilities broadly and establish consumer privacy protections.
This improved strategy is designed to defend against major cyberattacks by better supporting the cyberinfrastructure of major service sectors, such as healthcare networks, public transportation and energy grids. As we have seen in other articles, these service sectors can often be targets for major cyberattacks because they provide access to consumer information. By protecting these sectors, the European Commission is protecting individual citizens one attack at a time.
There is no question that cybersecurity defense is becoming increasingly important as we move into the 2020s. The formation of NIS 2.0 is, in no small part, a response to a reporting that showed in the five years prior to 2020 cybercrime doubled to reach $5.8 trillion of damages globally. The EU is treating cybercrime like the epidemic it is and putting measure in place to protect national infrastructure in the face of increasing attacks.
The new legislation is also aimed at strengthening the cybersecurity of digital products. This will bolster the protections afforded to citizens of the EU in terms of their purchases; it will also protect international consumers purchasing digital products from EU companies. This is, ultimately, the level of protection that non-EU consumers should push for from their countries: the more companies are held responsible for cyberattacks, the more incentivized they are to protect their customers. Here is a list of the most important additions to the original NIS Directive:
- Rules for regulating products with digital elements to ensure that they are cybersecure.
- Requirements for the design, development, and production of these products as well as obligations that companies must meet with respect to them.
- Requirements to ensure that these products are cybersecure for the totality of their lifecycle while also placing a burden on companies to report vulnerabilities or attacks.
- Rules on market surveillance and enforcement.