The European Council adopted legislation for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole. The new directive, called “NIS2“, will replace the current directive on security of network and information systems (the NIS directive).
“There is no doubt that cybersecurity will remain a key challenge for the years to come. The stakes for our economies and our citizens are enormous. Today, we took another step to improve our capacity to counter this threat,” said Ivan Bartoš, Czech Deputy Prime Minister for Digitalization and Minister of Regional Development.
Stronger risk and incident management and cooperation
NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure.
The revised directive aims to harmonise cybersecurity requirements and implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement.
The directive will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents and crises.
Widening of the scope of the rules
While under the old NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 directive introduces a size-cap rule as a general rule for identification of regulated entities. This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.
While the revised directive maintains this general rule, its text includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for allowing national authorities to determine further entities covered.
The text also clarifies that the directive will not apply to entities carrying out activities in areas such as defence or national security, public security, and law enforcement. Judiciary, parliaments, and central banks are also excluded from the scope.
NIS2 will also apply to public administrations at central and regional level. In addition, member states may decide that it applies to such entities at local level too.
Other changes introduced by the new law
Moreover, the new directive has been aligned with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts.
A voluntary peer-learning mechanism will increase mutual trust and learning from good practices and experiences in the Union, thereby contributing to achieving a high common level of cybersecurity.
The new legislation also streamlines the reporting obligations in order to avoid causing over-reporting and creating an excessive burden on the entities covered.
EU Council’s adoption comes a few weeks after the European Parliament approved the new legislation.
The NIS2 directive will be published in the Official Journal of the European Union in the coming days and will enter into force in mid-December.
Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law. (Though, it has to be noted that there are still some EU member states that have yet to implement the measures mandated by the NIS Directive.)