NIS 2 Directive Article 24 – Use of European Cybersecurity Certification Schemes
Introduction
The NIS 2 Directive, aimed at enhancing cybersecurity across the European Union, includes crucial provisions such as Article 24, focusing on the use of European cybersecurity certification schemes. This article plays a key role in ensuring that essential and important entities comply with specific requirements to strengthen the overall cybersecurity posture within the EU.
-
Importance of Compliance
- Article 24 of the NIS 2 Directive emphasizes the significance of essential and important entities using certified ICT products, ICT services, and ICT processes that meet European cybersecurity standards. Compliance with these standards is crucial in mitigating cyber risks and ensuring the protection of critical infrastructure and services.
-
European Cybersecurity Certification Schemes
- The directive highlights the use of European cybersecurity certification schemes adopted under Regulation (EU) 2019/881. These schemes establish a framework for certifying ICT products, services, and processes based on predefined security requirements. By adhering to certified solutions, organizations can demonstrate their commitment to cybersecurity best practices.
-
Encouraging Trust Services
- Member States are encouraged to promote the use of qualified trust services among essential and important entities. Trust services play a vital role in ensuring the confidentiality, integrity, and availability of electronic transactions and communications. By leveraging trusted services, organizations can enhance the security and reliability of their digital operations.
-
Commission's Role
- The Commission has the authority to adopt delegated acts to supplement the directive, specifying the categories of entities required to use certified ICT solutions or obtain certificates under European cybersecurity certification schemes. These acts are essential in addressing cybersecurity gaps and establishing a uniform approach to compliance across the EU.
-
Impact Assessment and Consultations
- Before introducing delegated acts, the Commission is mandated to conduct an impact assessment and engage in consultations with relevant stakeholders. This ensures a transparent and inclusive decision-making process, taking into account the potential implications and feedback from industry experts and governmental bodies.
-
Addressing Certification Gaps
- In cases where suitable European cybersecurity certification schemes are lacking, the Commission may collaborate with ENISA to develop candidate schemes. This proactive approach enables the continuous evolution of certification frameworks to align with emerging cyber threats and technological advancements.
Conclusion
The NIS 2 Directive Article 24 serves as a pivotal mechanism for enhancing cybersecurity resilience within the European Union. By leveraging European cybersecurity certification schemes and promoting the use of trusted services, essential and important entities can bolster their defenses against cyber threats.
The Commission's role in adopting delegated acts and facilitating consultation processes underscores the commitment to fostering a secure digital environment for all stakeholders. Through proactive measures and collaboration, the EU continues to strengthen its cybersecurity framework to safeguard critical assets and infrastructure in an increasingly interconnected world.