The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive that came into force in 2023. It modernised the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape. By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.
The Directive on measures for a high common level of cybersecurity across the Union (the NIS2 Directive) provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:
- Member States’ preparedness, by requiring them to be appropriately equipped. For example, with a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority,
- cooperation among all the Member States, by setting up a Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States.
- a culture of security across sectors that are vital for our economy and society and that rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
Penalties for non-compliance
According to RINA, the NIS2 Directive establishes specific sanctions for companies that fail to meet compliance requirements. These sanctions include:
- Non-monetary remedies: National supervisory authorities can impose compliance orders, binding instructions, orders to implement security audits, and orders for companies to notify customers of threats.
- Administrative fines: For essential companies, Member States must provide for a maximum fine of at least €10,000,000 or 2% of the total annual global turnover, whichever is higher. For important companies, the maximum fine is at least €7,000,000 or 1.4% of the total annual global turnover.
- Criminal penalties for management: NIS2 introduces measures to hold corporate management members personally accountable in case of serious negligence following a security incident. This can include the order to make compliance breaches public and, in the case of essential entities, a temporary ban on holding managerial positions in case of repeated violations.
These measures are designed to hold corporate management accountable and prevent serious negligence in managing cyber risks.
The cybersecurity risk in the new era of operations
Cyber incidents (36% of overall responses) ranks as the most important risk globally for the third year in a row – for the first time by a clear margin (5% points). It is the top peril in 17 countries, including Australia, France, Germany, India, Japan, the UK, and the USA. A data breach is seen as the most concerning cyber threat for Allianz Risk Barometer respondents (59%) followed by attacks on critical infrastructure and physical assets (53%).
Captain Nitin Chopra, Senior Marine Risk Consultant, Allianz Commercial, highlighted in the Safety and Shipping review 2024 that the use of information systems and data on board vessels is increasing, which presents a new challenge for shipping and makes them more vulnerable to cyber-attacks as they digitize their operations.
Meanwhile, according to DNV’s Maritime Cyber Priority 2023, achieving a more cyber-secure supply chain is far from easy. For this to happen, operators need to thoroughly audit their vendors’ cybersecurity requirements during procurement, installation and operation of equipment, systems, and software.