The publication of the NIS2 & CER Directives and the Aviation sector
The NIS2 Directive, an important EU legislation with the aim of setting up a high common level of cybersecurity across the EU, has been published on 27/12/2022. The Directive amends the previous Directive on the security of network and information systems (the NIS Directive) that entered into force in August 2016.
The NIS2 Directive will be applicable in a number of industry sectors including the Transport and in turn the Aviation sector. However, the security requirements laid down in NIS2, may be considered to be fulfilled for the entities that comply with the corresponding security requirements of Regulations (EC) No 300/2008 & (EU) 2018/1139 as well as their relevant Delegated & Implementing Acts.
The Regulation of Part-IS (Delegated & Implementing Act) that sets the requirements for the management of information security risks with a potential impact on aviation safety for organisations is the most prominent example of such applicable rules in the Aviation domain, facilitating the achievement of a uniform and high level of protection from information security threats to Aviation organisations.
Moreover, the published Directive welcomes the exchange of information and cooperation between the NIS Cooperation Group and different stakeholders, including relevant EU institutions and Agencies such as EASA, to assist the Group in identifying and reacting to changing and new policy priorities and challenges in the field of cybersecurity.
In parallel with the publication of the NIS2 Directive, the Directive on the resilience of critical entities (CER Directive) was published on the same day. The CER Directive aims to strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage in numerous sectors including the transport sector. The common entry into force of both Directives underlines the collective aim of strengthening both the cyber and physical resilience of critical entities and networks in the EU.
EU Member States will have to transpose NIS 2 & CER Directives into their national laws by the 17th of October 2024 and shall apply those measures by the 18th of October 2024.