On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (“Cyber Incident Reporting Act”). Under the new law, certain businesses that are as “covered entities” and which are considered “critical infrastructure” will now be required to report cyber incidents to the U.S. Department of Homeland Security (“DHS”) Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours and ransomware payments within 24 hours.
In broad terms, the statute defines covered entities as those within a critical infrastructure sector, as defined in Presidential Policy Directive 21 (“PPD-21”). Under PPD-21, the following 16 critical infrastructure sectors were identified: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services, energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
The Network and Information Security (NIS) Directive is the first piece of EU-wide legislation on cybersecurity, and its specific aim was to achieve a high common level of cybersecurity across the Member States. While it increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU. The proposed expansion of the scope covered by NIS2, by effectively obliging more entities and sectors to take measures, would assist in increasing the level of cybersecurity in Europe in the longer term. Within the European Parliament, the file was assigned to the Committee on Industry, Research and Energy. It entered into force on 16 January 2023, and Member States now have 21 months, until 17 October 2024, to transpose its measures into national law. For its implementation on the specific Member States, check the specific Member States websites, for instance for Belgium : CCB.