20 Feb '23
Lately, there has been an increasing focus - rightly so - on protecting digital networks, information systems and the devices connected to them. Especially from Europe, there are, or will be, many new regulations. It is interesting to see that, in these new regulations, there is also an increasing focus on the 'overlap' between cybersecurity and physical security of the critical infrastructure.
We discuss two developments in that area below. The first development concerns the new directive for the resilience of critical entities, and the second is discussed in the context of protecting the 'North Sea infrastructure'. On that, see for instance the report by the AIVD and the MIVD, which point out very specifically the danger of sabotage of North Sea infrastructure.
At the same time as the NIS2 directive and the DORA, the new 'critical entity resilience' directive was also published at the end of December 2022 (abbreviated as CER 'Critical Entities Resilience' in English) (Directive (EU) 2022/2557 ). And that means that the implementation deadline for this directive too has now passed. This directive is part of the development of European laws and regulations on the security of the critical infrastructure of European member states.
In practice, the CER Directive and the NIS2 will often align, or even overlap. Here, the idea is that the CER Directive should enhance physical and non-cyber-related resilience, and the NIS2 Directive should enhance digital cyber-related resilience of the European Union's critical infrastructure.
In short; physical resilience in the CER and cyber resilience in the NIS2. But as the European legislator also noted; physical and cybersecurity have increasingly common ground.
The new CER directive prescribes obligations with which critical entities must comply, and on which member states must also organise supervision and enforcement including sanctions.
Prevent, detect & response
For example, critical entities must take measures to prevent incidents, mitigate the consequences of incidents or that help to recover adequately if an incident did occur.
In addition, the CER directive requires incidents to be reported within 24 hours, followed by a detailed report no later than one month later.
For now, this overview will suffice. Also because the CER Directive has numerous exceptions that affect the aforementioned European cyber laws. For now, with this contribution, we would like to point out the landscape of developments.
This often involves 'European look' at laws and regulations. But increasingly, there are also regulations at the national level that deal with the protection of critical infrastructure. And in that context, we now briefly consider the protection of North Sea infrastructure.
Especially after the Nordstream 2 gas pipeline incident, more attention was paid to the protection of vital infrastructure in the North Sea. But earlier attention had also been drawn to this issue, for instance by the HCSS and by a motion in the House of Representatives.
On 8 February 2023, the cabinet sent a letter to the House of Representatives on this subject. In that letter, the cabinet discusses the 'joint strategy for the protection of North Sea infrastructure'.
The cabinet letter considers the various domains covered by the 'joint strategy'. For example, the national (Dutch) framework considers the various public and private parties involved in protecting the North Sea infrastructure:
Remarkably, the 'joint strategy' - in the context of protecting North Sea infrastructure - points to the importance of the NIS2 and CER Directives. And that makes it even more important for many parties to be well aware of those regulations.
Would you therefore like to know more about the CER and NIS2 Directives? We would be happy to discuss the (possible) legal implications for your business with you.
29 Nov 23
21 Nov 23
06 Nov 23
02 Nov 23
18 Oct 23
28 Sep 23
26 Sep 23
26 Sep 23
18 Sep 23
08 Sep 23
07 Aug 23
11 Jul 23
Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.
Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.
*This field is requiredI already have an account
Follow what you find interesting
Receive recommendations based on your interests
We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.
A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.