The European Council adopted certain legislative aspects in order to apply them to a high common level of cybersecurity across the entire Union. The goal is to further enhance the resilience and incident response capabilities of the public and private sector and the Union as a whole.
The new directive, called ‘NIS2’, will replace the current directive on network and information systems security (the NIS directive). With this initiative, the Council itself believes that cybersecurity will undoubtedly remain a key challenge for the coming years. In this sense, the new legislation is a huge gamble for our economies and our citizens.
The NIS2 will establish the baseline for cybersecurity risk management measures and reporting obligations in all sectors covered by the directive, such as energy, transport, health and digital infrastructure.
The revised directive seeks to harmonise cybersecurity requirements and the implementation of cybersecurity measures in the different member states. To this end, it establishes minimum rules for a regulatory framework and mechanisms for effective partnership among the relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and penalties to ensure enforcement.
The directive will officially set up the European Cyber Crisis Liaison Organization Network, EU-CYCLONE, which will support the coordinated management of large-scale cybersecurity incidents and crises.
Under the old NIS directive, member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services. The new NIS2 directive, however, introduces a size-limit rule as a general rule for identifying regulated entities. This means that all medium and large entities operating within the sectors or providing services covered by the directive will fall within its scope.
Although the revised directive maintains this general rule, its text includes additional provisions to ensure proportionality, a higher level of risk management and clear criticality criteria to allow national authorities to determine other covered entities.
The text also clearly states that the directive will not apply to entities carrying out activities in areas such as defence or national security, public security and law enforcement. Judiciary, parliaments and central banks are also excluded.
The NIS2 will also apply to public administrations at the central and regional levels. In addition, member states may decide to apply it to these entities at the local level.
Furthermore, the new directive was aligned with sector-specific legislation, in particular the regulation on the digital operational resilience of the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure consistency between the NIS2 and these acts.
A voluntary peer-to-peer learning mechanism will increase mutual trust and learning from good practices and experiences in the Union, thus contributing to achieving a high common level of cybersecurity.
The new legislation also streamlines reporting obligations in order to avoid cases of over-reporting and undue burden on covered entities.