HomeInsightsEuropean Commission publishes combined evaluation roadmap/Inception Impact Assessment announcing a review of the Security of Network and Information Systems Directive (2016/1148/EU)

Article by

The European Parliament adopted the NIS Directive in July 2016. The NIS Directive provides legal measures to boost the overall level of network and information system security in the EU. It applies to operators of essential services and relevant digital service providers (RDSPs). In the UK, the NIS Directive was incorporated into national law via the Network and Information Systems Regulations 2018 in May 2018.

As part of its key policy objective to make “Europe fit for the digital age”, the Commission announced in its Work Programme 2020 that it would review the NIS Directive by the end of 2020. This is ahead of the deadline under Article 23(2) of the Directive, pursuant to which the Commission must review the functioning of the Directive and report to the European Parliament and the Council by 9 May 2021. The Commission says that bringing the deadline forward is justified by the sudden increase in the dependence on information technology during the COVID 19 crisis.

Based on data gathered to date, the Commission says that the NIS Directive has largely contributed to improving cybersecurity capabilities within Member States and the level of protection of network and information systems throughout the Union. However, there are a number of issues relating to the implementation of the Directive. For example, there is a lack of harmonisation across Member States in their implementation of the Directive, which has led to significant inconsistencies and fragmentation in the regulatory landscape. As a result, some critical actors, which are as vulnerable to cyber incidents as the operators covered by the Directive, are left outside its scope. Further, operators providing essential services have to comply with diverging security and incident reporting regulatory regimes across Member States, which creates an additional burden for those entities.

In addition, the speedy digital transformation of European society has expanded the threat landscape and is bringing new challenges, which require adapted and innovative responses. The Covid-19 crisis, and the resulting sudden growth in demand for internet-based solutions, has further emphasised the need for state of the art cybersecurity.

The review of the Directive includes:

  • assessing whether cybersecurity has improved across the EU;
  • identifying existing and emerging issues; and
  • identifying and quantifying the regulatory costs and benefits.

The deadline for providing feedback is 13 August 2020. To access the evaluation roadmap/Inception Impact Assessment and for further information on providing feedback, click here.