Brussels, 16 January 2023  

On January 16, 2023, the Directive on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”) and the Directive on the resilience of critical entities (“CER Directive”) entered into force. The NIS2 Directive repeals the current NIS Directive and creates a more extensive and harmonized set of rules on cybersecurity for organizations carrying out their activities within the European Union. The CER Directive repeals the European Critical Infrastructure Directive and brings with it new, stronger rules for the cyber and physical resilience of critical entities and networks. 

“Port facilities” and companies “operating works and equipment within ports” are mentioned in the NIS 2 Directive, meaning that companies in the port sector exceeding the ceiling of medium-sized companies need to comply with the technical, operational and organizational measures aimed at reducing cyber risks which are proscribed by the NIS 2 Directive. If certain additional criteria are met, also SMEs could be covered by NIS 2.

The CER Directive aims at strengthening the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. These threats could of course also include a cyber component. The CER Directive applies to 11 sectors which have been deemed critical: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food.

Member states will need to have a national strategy to enhance the resilience of critical entities, carry out a risk assessment at least every four years and identify the critical entities that provide essential services.

Critical entities will need to identify the relevant risks that may significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and notify disruptive incidents to the competent authorities.