Review of the directive on security of network and information systems
In “A Europe Fit for the Digital Age”
The first NIS Directive on security of network and information systems entered into force in August 2016. Member States had to transpose it into their national laws by 9 May 2018. On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy that aims to bolster Europe’s collective resilience against cyber threats and ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools. Accordingly, the Commission made two new proposals: a directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2'), and a new directive on the resilience of critical entities.
The NIS Directive has increased the EU national cybersecurity capabilities, requiring Member States to elaborate a national cybersecurity strategy, to establish computer security incident response teams (CSIRTs) and to appoint NIS national competent authorities, improving the cyber resilience of public and private entities in specific sectors and across digital services. The proposed revised NIS Directive NIS 2 repeals the existing NIS Directive. The new proposal broadens its scope, aiming to strengthen the security requirements imposed, addressing security of supply chains, streamlining reporting obligations, introducing more stringent supervisory measures and stricter enforcement requirements including harmonised sanctions regimes across Member States. It also includes proposals for information sharing and cooperation on cyber crisis management at national and EU level.
At the European Parliament the committee responsible for the file is the Committee on Industry, Research and Energy (rapporteur: Bart Groothuis, Renew, Netherlands). The committees for opinion are Foreign Affairs, Internal Market and Consumer Protection, Transport and Tourism and Civil Liberties, Justice and Home Affairs.
On 13 April 2021 the Commission presented its proposal before the Parliament lead committee on Industry, Research and Energy (ITRE). Whereas the rapporteur presented on 26 May 2021 his draft report. The deadline for tabling amendments to the proposed directive was 2 June 2021. On 14 July 2021 the Consumer Protection and Transport and Tourism committees published their opinions and on 15 July 2021 the Foreign Affairs Committee published its opinion on the ITRE committee draft report. The ITRE committee voted its report on 28 October 2021. The report calls for tighter cybersecurity obligations in terms of risk management, reporting obligations and information sharing. It aims to lower the administrative burden and to improve cybersecurity incident reporting. In addition, the report states that EU countries would have to meet stricter supervisory and enforcement measures, and harmonise their sanctions regimes. The report also intends to broaden the sectorial scope to also include academic, knowledge and research institutions which had been left outside the scope of NIS2 by the Commission, while many national cybersecurity strategies cover them. The report was adopted by Parliament in its plenary of 22 November 2021 together with the decision to enter into interinstitutional negotiations.
The Council adopted its negotiating position on 3 December 2021. Compared to the initial proposal for NIS2, the Council has introduced a number of significant changes. For instance it introduced additional criteria to determine the entities to be covered by NIS2, excluding from the scope entities operating in defence or national security, public security, law enforcement and the judiciary, as well as parliaments and central banks.
Trilogue interinstitutional negotiations started on 13 January 2022 and on 17 February 2022, the second-round of trilogue negotiations took place. On Thursday 3 March, the rapporteur presented to the members of the ITRE committee the state of play of the trilogue negotiations. For instance, Parliament negotiators were insisting on the need for clear and precise rules for companies and were against the exclusion of certain governmental or public bodies from the scope. Other aspects under discussion were among others the issue of the funding for cybersecurity centres and on the deadlines for transposing the directive into national law.
On 13 May 2022, Parliament and the Council reached a political agreement. The revised directive sets out minimum rules for a regulatory framework and lays down cooperation mechanisms among relevant authorities in each Member State. It updates the list of sectors and activities subject to cybersecurity obligations, and improves their enforcement. The directive will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordination and management of incidents. The directive will not apply to entities carrying out activities in areas such as defence or national security, public security, law enforcement and the judiciary. Parliaments and central banks are also excluded from the scope.
The political agreement was adopted by the ITRE committee on 13 July 2022 and by Parliament in its plenary of 10 November 2022 with 577 votes in favour, 6 against and 31 abstentions. The proposal was also adopted by the Council on 28 November 2022 and signed by both co-legislators on 14 December 2022. It was published in the Official Journal on 27 December 2022, and entered into force 20 days later.
On 14 September 2023 the Commission published some guidelines on the application of Article 3(4) of the NIS 2 Directive, which requires the Member States to establish a list of essential and important entities, as well as entities providing domain name registration services, by 17 April 2025.
Since 18 October 2024, all Member States must apply the measures necessary to comply with the NIS2 cybersecurity rules.
References:
- EP Legislative Observatory, Procedure file on high common level of cybersecurity across the Union- NIS 2 Directive, 2020/0359(COD)
- European Commission, The EU's Cybersecurity Strategy for the Digital Decade, JOIN(2020) 18
- European Commission, Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2'), COM(2020) 823
- Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
- Council, Proposal for a Directive for a high common level of cybersecurity across the Union, general approach, 26 November 2021
- European Economic and Social Committee, Opinion on the Cybersecurity and Resilience of Critical Entities, 27 April 2021, TEN/730-EESC-2020
Further reading:
- European Parliament, A high common level of cybersecurity – NIS2, Plenary At a glance briefing, EPRS, November, 2022
- European Parliament, The NIS2 Directive: A high common level of cybersecurity in the EU, legislative briefing, EPRS, February, 2023
- European Parliament, Directive on security of network and information systems (NIS Directive), Implementation appraisal briefing, EPRS, November 2020.
- European Parliament, Improving the common level of cybersecurity across the EU, Initial Appraisal of a European Commission Impact Assessment, EPRS, February 2021
Author: Maria del Mar Negreiro Achiaga, Members' Research Service, legislative-train@europarl.europa.eu