EU Reach Provisional Agreement (NIS2) to Strengthening EU-wide Cybersecurity and Resilience 

The Council and the European Parliament have agreed on measures for a high common level of cybersecurity across the Union. In order to improve resilience and respond to incidents quickly. The new directive, called 'NIS2', will replace the current directive on security of network and information systems. Once adopted, the new directive will replace the current directive on security of network and information systems (the NIS directive).

Stronger risk and incident management and cooperation

NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health, and digital infrastructure. The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement.

The directive will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.

Dutch member of the parliament Bart Groothuis, responsible for the new directive on behalf of the European Parliament: "NIS2 is the best cyber security legislation this continent has seen so far, as it will enable Europe to proactively tackle cyber threats."

Groothuis recently visited the HSD Campus to meet with Threadstone Cyber Security amongst others to exchange information about the upcoming NIS-2 regulation.

Widening of the scope of the rules

While under the old NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 directive introduces a size-cap rule. This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.

While the agreement between the European Parliament and the Council maintains this general rule, the provisionally agreed text includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for determining the entities covered. The text also clarifies that the directive will not apply to entities carrying out activities in areas such as defence or national security, public security, law enforcement and the judiciary. Parliaments and central banks are also excluded from the scope.

As public administrations are also often targets of cyberattacks, NIS2 will apply to public administration entities at central and regional level. In addition, member states may decide that it applies to such entities at local level too.

Other changes introduced by the co-legislators

The European Parliament and the Council have aligned the text with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts. A voluntary peer-learning mechanism will increase mutual trust and learning from good practices and experiences, thereby contributing to achieving a high common level of cybersecurity. The two co-legislators have also streamlined the reporting obligations to avoid causing over-reporting and creating an excessive burden on the entities covered.

Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.

Next steps

The provisional agreement concluded is now subject to approval by the Council and the European Parliament. On the Council’s side, the French presidency intends to submit the agreement to the Council’s Permanent Representatives Committee for approval soon.

Source: Council of EU and Europa-nu.