Cybersecurity in 2023: a new EU directive

This year, a new EU cybersecurity directive will come into force, balancing regulations across the Union and covering even greater sectors of the economy. It has already been labeled the second GDPR in terms of importance.

The 2016 cybersecurity directive covered the banking and financial market, health care, water and digital services sectors. However, its domestic implementation appeared complex and fragmented.

The second Network and Information Security Directive (NIS2) became effective on January 16, 2023. NIS2 includes more areas, such as social networks and online marketplaces, search engines, data centers, space, and mail services.

A fundamental change that the Second Directive will bring is the inability for EU countries to tailor security requirements to themselves. Accordingly, the responsibility for enforcing cybersecurity requirements falls on the states themselves. While the European Commission on Cybersecurity will become the supervisory body.

For many countries, and for Luxembourg in particular, this could lead to an increased burden on certain economic sectors and small companies. For example, the financial sector, which has a large presence in the Grand Duchy. Many banks and financial institutions that are familiar with the first 2016 cybersecurity directive have already invested in cybersecurity so far, and they will feel the transition easier. For smaller businesses and new organizations, however, the burden may be more noticeable. That's why the government should come in to help fund cybersecurity.