The revised EU directive on the security of network and information systems (NIS2) imposes on critical entities (e.g. cloud providers, data centres, social media platforms) common security risk management and reporting requirements. Importantly, the NIS2 will also regulate the security of telecoms operators when providing both telecoms related services (e.g. mobile services) and non-telecoms services (e.g. cloud).
To build on the telecoms sector-specific knowledge already acquired under the European Electronic Communications Code (EECC), existing national guidelines adopted to transpose the EECC security provisions should be considered when implementing the NIS2 security requirements. Further, the revised directive encourages the use of encryption technologies (e.g. end-to-end encryption) and data-centric concepts such as segmentation.
The revised directive will subject providers active in the ICT supply chain, as well as some cross-border digital entities (e.g. online marketplaces, online search engines) to a higher degree of harmonisation. This will include EU level technical measures and procedures to demonstrate compliance with the security obligations of the NIS2.
In addition, the NIS2 Directive introduces a clear obligation on essential and important entities across all the sectors within its scope to assess the security level of their ICT products, services, and systems.
To assist entities in managing supply chains and supplier related cybersecurity risks, the NIS Cooperation Group is expected to prepare an ICT supply chain security toolbox (possibly in 2023). The toolbox should identify threat scenarios specific to ICT supply chains and provide generic security measures to respond to the threat scenarios.
Cullen International is releasing a series of reports on the different aspects of the newly revised directive on the security of network and information systems (NIS2). Our third of five reports covers certain security obligations which apply specifically to the telecoms, ICT supply chain and digital sectors.
See also:
Part 1: Scope
Part 2: Common security risk management and reporting requirements
For more information and to access our NIS2 report series, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.
more news
16 March 26
Africa tightens oversight of IoT connectivity as roaming and SIM rules diverge
Cullen International’s latest benchmarks assess the regulatory frameworks affecting IoT and M2M services in Africa. The research examines three core areas: whether permanent roaming is permitted, requirements for authorisation and notification, and whether and how SIM cards should be registered.
12 March 26
National implementation of the EU Gigabit Infrastructure Act
The Gigabit Infrastructure Act (GIA) is a regulation and as such directly applicable in all member states without the need for transposition into national law. Despite being a regulation, the GIA often sets minimum requirements, on top of which member states can adopt additional measures to address country-specific circumstances. Our new benchmark shows the choices made by member states when implementing the GIA.
09 March 26
How are EU member states transposing NIS2?
Our latest benchmark tracks the progress of the Directive on measures for a high common level of cybersecurity across the EU (NIS2) transposition in the 27 EU member states.