NIS 2 Directive Article 24 – Use Of European Cybersecurity Certification Schemes

Introduction

The NIS 2 Directive, aimed at enhancing cybersecurity across the European Union, includes crucial provisions such as Article 24, focusing on using European cybersecurity certification schemes. This article plays a key role in ensuring that essential and important entities comply with specific requirements to strengthen the overall cybersecurity posture within the EU.

Importance of Compliance

Article 24 of the NIS 2 Directive emphasizes the significance of essential and important entities using certified ICT products, ICT services, and ICT processes that meet European cybersecurity standards. Compliance with these standards is crucial in mitigating cyber risks and protecting critical infrastructure and services.

European Cybersecurity Certification Schemes

The directive highlights the use of European cybersecurity certification schemes adopted under Regulation (EU) 2019/881. These schemes establish a framework for certifying ICT products, services, and processes based on predefined security requirements. By adhering to certified solutions, organizations can demonstrate their commitment to cybersecurity best practices.

Encouraging Trust Services

Member States are encouraged to promote the use of qualified trust services among essential and important entities. Trust services play a vital role in ensuring the confidentiality, integrity, and availability of electronic transactions and communications. By leveraging trusted services, organizations can enhance the security and reliability of their digital operations.

Commission's Role

The Commission can adopt delegated acts to supplement the directive, specifying the categories of entities required to use certified ICT solutions or obtain certificates under European cybersecurity certification schemes. These acts are essential in addressing cybersecurity gaps and establishing a uniform approach to compliance across the EU.

Impact Assessment and Consultations

Before introducing delegated acts, the Commission is mandated to conduct an impact assessment and consult with relevant stakeholders. This ensures a transparent and inclusive decision-making process, taking into account the potential implications and feedback from industry experts and governmental bodies.

Addressing Certification Gaps

In cases where suitable European cybersecurity certification schemes are lacking, the Commission may collaborate with ENISA to develop candidate schemes. This proactive approach enables the continuous evolution of certification frameworks to align with emerging cyber threats and technological advancements.

Conclusion

The NIS 2 Directive Article 24 serves as a pivotal mechanism for enhancing cybersecurity resilience within the European Union. By leveraging European cybersecurity certification schemes and promoting trusted services, essential and important entities can bolster their defences against cyber threats. The Commission's role in adopting delegated acts and facilitating consultation processes underscores the commitment to fostering a secure digital environment for all stakeholders. Through proactive measures and collaboration, the EU continues to strengthen its cybersecurity framework to safeguard critical assets and infrastructure in an increasingly interconnected world.