NIS 2 Directive: New EU Rules on Cybersecurity (cepAdhoc)

"The new regulations also cover companies that are not systemically important, i.e. companies that offer products and services that are not absolutely central to the functioning of society. It is to be feared that the competent authorities will be overburdened in practice with the supervision of about 160,000 entities," warns cep cyber expert Philipp Eckhardt. "Even if the Directive creates more legal certainty and prevents distortions of competition: less would have been more, a stronger prioritisation would therefore have been appropriate," says the scientist from Freiburg.

The fact that risks in the supply chain will have to be taken into account to a greater extent in the future increases the level of cyber security in the EU, according to Eckhardt. However, the responsibility should not lie solely on the shoulders of the institutions covered by the regulation. Eckhardt further welcomes the fact that in future a large number of companies will have to report incidents according to an orderly procedure. Such reports have not always been made in the past, for fear of damaging the image of many affected companies. "Voluntary reporting has often not worked satisfactorily. The reporting obligation is also to be welcomed because it helps other companies to recognise and close security gaps," Eckhardt emphasises.