The European Union is working on improving resilience in the face of increasingly serious cyber threats so as to consolidate security in society at large and in the digital economy.
The European Council has reached a joint agreement on shared high-level cybersecurity measures throughout the European Union with a view to further improving resilience and the ability to react to incidents in both the public and private sectors and in the EU as a whole.
Once approved, the new directive, referred to as NIS2, will replace the current directive on the Security of Network and Information Systems (the NIS Directive).
NIS2 will establish the base line for measures to manage risks to cybersecurity and obligations to provide information in all the sectors covered by the Directive, such as energy, transport, health and digital infrastructure.
The revised directive is intended to eliminate divergences in cybersecurity requirements and the implementation of cybersecurity measures in different Member States. To this end, it establishes minimum standards for a regulatory framework and mechanisms for effective cooperation between the relevant authorities in each Member State. It also updates the list of sectors and activities subject to cybersecurity obligations, and provides for resources and sanctions to ensure their implementation.
The Directive will formally establish the European Union Cyber Crisis Liaison Organisation Network, EU-CyCLONe, which is intended to provide support for the coordinated management of large-scale cybersecurity incidents.
While according to the terms of the former NIS directive Member States were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 Directive introduces a rule to establish the limits of their scope. This means that all the large and medium-sized entities that operate within the sectors concerned or that provide services subject to regulation by the Directive will come under its scope of application.
Although the Council’s position maintains this general standard, it also includes additional provisions to ensure proportionality, a higher level of risk management and clear criteria for the definition of the entities to be covered.
The Council’s text also clarifies that the Directive will not apply to entities that develop activities in fields such as defence or national security, public security, the police and the courts. National parliaments and central banks are also excluded from the scope of the Directive.
Since public administrations are often also the targets of cyber attacks, NIS2 will apply to the public administrative organisms of Member States’ central governments. In addition, Member States can decide which regulations will apply to these entities at a regional and local scale.
The Council has aligned the text with specific sectoral legislation, particularly the Digital Operational Resilience Act (DORA) regulation for the financial sector and the Critical Entities Resilience (CER) Directive to provide legal clarification and ensure consistency between NIS2 and these new regulations.
A voluntary mechanism for peer learning will increase mutual confidence and the learning of good practices and experiences, and will thus contribute to achieving a high level of shared cybersecurity.
Member States will have two years starting from the date that the Directive comes into force within which to incorporate the provisions into their national legislations.