Brussels is extending its cybersecurity reach, and the implications for the burgeoning landscape of European smart cities are significant. The Network and Information Systems 2.0 Directive, or NIS2, enacted in 2022 with full implementation across member states commencing this year, represents a sweeping overhaul of the EU’s cybersecurity regulations.
While its primary aim is to establish a high standard of cybersecurity across the Union and improve the functioning of the internal market, its broad scope and enhanced requirements will fundamentally reshape how municipalities and private entities approach the security of interconnected urban environments.
For the first time, NIS2 holds company directors and executives directly accountable, subjecting them to strict penalties for failing to approve, oversee, and implement cybersecurity risk-management measures.
This directive departs from the previous directive and signals a heightened regulatory seriousness regarding the security of digital infrastructure.
Impact on Smart City infrastructure
This accountability shift will likely compel leadership to prioritize cybersecurity investments and training in the context of smart cities, where municipal services increasingly rely on complex networks of sensors, data platforms, and interconnected devices.
The directive significantly expands the scope of its predecessor, impacting designated “essential” and “important” entities and their extensive supply chains. Essential sectors listed include Energy, Transport, Digital Infrastructure, and Public Administration, all core components of smart city operations.
While specific smart city initiatives may not be explicitly named, the interconnected nature of urban systems means that entities operating within these essential sectors and their broader supply chains will fall under NIS2’s purview.
This extended responsibility implies that businesses providing services or technology integral to smart city functions, even if not directly classified as essential, will face increasing pressure to demonstrate robust cybersecurity measures.
NIS2 outlines specific cybersecurity risk-management measures that essential entities must implement based on an all-hazards approach. These include policies on risk analysis, incident handling, business continuity, supply chain security, and network security.
The directive explicitly mandates that essential entities consider the security-related aspects concerning their direct suppliers and service providers, including the vulnerabilities specific to each supplier and the overall quality of their cybersecurity practices.
This heightened focus on supply chain security is critical for smart cities, given the multitude of vendors and technologies often integrated into urban systems, from traffic management to energy grids.
Strong compliance efforts and significant penalties
Furthermore, NIS2 imposes strict reporting obligations for “significant incidents” that substantially impact essential entities. Failure to comply with these risk management and reporting obligations can result in significant financial penalties.
Essential entities face fines of up to €10 million or 2% of their total worldwide annual turnover, whichever is higher. Influential entities can be fined up to €7 million or 1.4% of their worldwide annual turnover.
These penalties underscore the EU’s determination to create a more secure digital environment. These potential fines represent a considerable financial risk for smart city operators, necessitating a proactive and comprehensive approach to cybersecurity.
Ultimately, NIS2 will likely drive significant investments in cybersecurity risk management, incident response capabilities, and supply chain oversight for entities involved in developing and operating smart city infrastructure across the European Union. While the directive aims to enhance the overall cybersecurity resilience of the EU economy, it also challenges municipalities and businesses to adapt to these new, more stringent requirements.
However, the directive’s emphasis on a secure digital environment is a crucial step in ensuring the long-term viability and trustworthiness of the increasingly interconnected urban landscape.
