Insights Council of the EU agrees general approach on proposals to amend Security of Network and Information Systems Directive (2016/1148/EU) (NIS Directive)

On 3 December, the Transport, Telecommunications and Energy Council (Telecommunications) met and agreed on its position (general approach) on proposed measures for a high common level of cybersecurity across the EU.

The proposal aims to improve the resilience and incident response capacities of both the public and private sector and the EU as a whole. Once adopted, the new Directive, NIS 2, will replace the current NIS Directive.

NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors covered by the Directive, such as energy, transport, health and digital infrastructure.

The revised Directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different Member States. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each Member State. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement.

The Directive will also formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.

While under the old NIS Directive, Member States were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 Directive introduces a size-cap rule. This means that all medium-sized and large entities operating within the sectors or providing services covered by the Directive will fall within its scope. While the Council’s position maintains this general rule, it includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for determining the entities covered.

The Council text also clarifies that the Directive will not apply to entities carrying out activities in areas such as defence or national security, public security, law enforcement and the judiciary. Parliaments and central banks are also excluded from the scope.

As public administrations are also often targets of cyberattacks, NIS2 will apply to public administration entities of central governments. In addition, Member States may decide that it applies to such entities at regional and local level as well.

The Council aligned the text with sector-specific legislation, in particular the Regulation on digital operational resilience for the financial sector (DORA) and the Directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between all the legislation.

It has also streamlined the reporting obligations in order to avoid over-reporting and creating an excessive burden on the entities covered.

Member States would have two years from the entry into force of the Directive in which to incorporate the provisions into their national law.

The general approach reached will allow the Council presidency to start negotiations with the European Parliament. Both the Council and the European Parliament will need to agree on the final text. To read the Council’s press release in full, click here.