At a glance.
- NIS2 comes into effect in the EU.
- More on the Section 702 hearings.
- New York legislators vow to protect hospitals and schools from cybercriminals.
NIS2 comes into effect in the EU.
The European Parliament and Council’s new EU Directive 2022/2555 (NIS2), set to replace the prior NIS Directive 2016/114, takes effect today, and NIS2 expands the scope of its predecessor, adding relevant sectors and introducing new obligations. The new directive is an element of a broader effort in the bloc to bolster the resilience of essential EU infrastructure which includes the draft Cyber Resilience Act and the EU Regulation 2022/2554 on digital operational resilience for the financial sector. The review process for the prior directive indicated a need for a more united approach to cyber regulations across the bloc, so NIS2 establishes an EU-wide coordination group focused on improving communication between states, and member states will be mandated to create an administrative framework directed by a national cybersecurity strategy and supervisory authorities.
States must establish also one or more Computer Security Incident Response Teams that will work in conjunction with the European Union Agency for Cybersecurity. A wide array of business sectors will be impacted by NIS2, including energy, transport, finance, health, digital infrastructure, and space, though some micro and small entities will be exempt. The National Law review offers an overview of the actions that must be taken, enforcement measures, and interactions with other legal frameworks. EU member states have until October 17 2024 to implement the local laws necessary to comply with NIS2, but it’s advised that impacted companies, especially digital service providers began preparing now for the complex process of compliance.
More on the Section 702 hearings.
As we discussed last week, the US Privacy and Civil Liberties Oversight Board (PCLOB) is considering whether or not to reauthorize Section 702 of the Foreign Intelligence Surveillance Act, which allows the National Security Agency (NSA) to eavesdrop on foreign targets without a warrant. Due to expire at the end of the year, the measure has been the source of much debate. Privacy advocates see it as a means for the intelligence agency to abuse its surveillance powers, while intelligence officials regard it as a necessity for maintaining national security. On Friday, NSA director General Paul Nakasone told the PCLOB that if Section 702 is allowed to lapse on December 31, American spies would "lose critical insights into the most significant threats to our nation." As the Register recounts, despite the fact that the measure is designed to apply only to foreign targets, documents that were declassified in 2019 revealed that Americans were often swept up in Section 702 data collection. This information was unknown when 702 was last up for reauthorization back in 2017. Whether this knowledge will impact this year’s decision remains to be seen.
New York legislators vow to protect hospitals and schools from cybercriminals.
Lawmakers in the US state of New York are pledging to make helping local governments, educational institutions, and hospitals better defend themselves against cyberattacks a priority going into the new year, the New York Post reports. Steven Otis, chairman of the Assembly Science and Technology Committee, stated, “This is a top item on my agenda for 2023…I am especially sensitive to local government and school districts being targets of ransomware attacks. We have to get into prevent mode.” The state has seen a rise in cyberattacks targeting the sectors in question, including recent incidents impacting the Brooklyn One Health System and a Suffolk County web server. Last year Governor Kathy Hochul appointed Colin Ahern as the state’s first chief cyber officer, and the state bolstered its cybersecurity prowess after the Russian invasion of Ukraine. In the coming year, state senators are also considering holding hearings to discuss ransomware threats.
A spokesperson for New York City’s Office of Technology and Innovation explained, “The Adams administration is taking bold, proactive steps to protect the City and its nearly 9 million residents from damaging cyberattacks to our critical infrastructure and essential services.” Indeed, Mayor Eric Adams has already established a Joint Security Operations Center to coordinate cybersecurity efforts across the state and started an academy to educate city employees about cyber threats.