The European Union (EU) has taken preliminary steps to protect both public and private organizations from cyber-attacks. The new directive, called “NIS2” (short for network and information systems), updates previous legislation from 2016. The new regulation mandates organizations in energy, transport, financial markets, health, and digital infrastructure sectors to adhere to risk management measures and reporting obligations. The new reporting mandates require companies to report cyber incidents to authorities within 24 hours. European Union member states are mandated to incorporate the provisions into their national law within a period of 21 months after official publication of the directive. The directive widens the scope of cybersecurity rules, although it does not apply to organizations working in defense and national security. The legislation includes a voluntary peer-learning mechanism that aims to increase the overall competency of cybersecurity across the EU through shared experiences and best practices.
Global leaders have discussed better cyber defense policies for several years. The war in Ukraine has forced governments across the globe to relook at how they protect themselves from cyber-attacks both in the public and private sector. The EU, much like the United States, is attempting to break down barriers and unify their organizations to raise the overall level of their cyber defense. The US is calling it a whole of government approach in which they leverage each other’s knowledge to bring everyone up to the same level. This will likely mean an increase in global cooperation, which we have already seen by law enforcement agencies to combat cyber criminals. Russia has alienated itself with its invasion of Ukraine and the rest of the globe is using the war as a learning mechanism to increase cyber defense practices and policies.