Review of the directive on security of network and information systems
In “A Europe Fit for the Digital Age”
The first NIS Directive on security of network and information systems entered into force in August 2016. Member States had to transpose it into their national laws by 9 May 2018. The directive lays down requirements regarding national cybersecurity capabilities of Member States; rules for their cross-border cooperation; and requirements regarding national supervision of operators of essential services and key digital service providers.
The Commission launched on 7 July 2020 a public consultation on the revision of the NIS Directive that aims to collect views on its implementation and on the impact of potential future changes. The consultation closed on 2 October 2020.
On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy that aims to bolster Europe’s collective resilience against cyber threats and ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools. Accordingly, The Commission made two new proposals: a Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2'), and a new Directive on the resilience of critical entities.
The NIS Directive has increased the EU national cybersecurity capabilities, requiring Member States to elaborate a National Cybersecurity strategy, to establish Computer Security Incident Response Teams (CSIRTs) and to appoint NIS national competent authorities, improving the cyber resilience of public and private entities in specific sectors and across digital services. However, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. In order to respond to the growing threats due to digitalization and increase in cyberattacks, the proposed revised NIS Directive NIS 2 repeals the existing NIS Directive. The new proposal broadens its scope, aiming to strengthen the security requirements imposed, addressing security of supply chains, streamlining reporting obligations, introducing more stringent supervisory measures and stricter enforcement requirements including harmonised sanctions regimes across Member States. It also includes proposals for information sharing and cooperation on cyber crisis management at national and EU level.
At the European Parliament the committee responsible for the file is the Industry committee (rapporteur: Bart Groothuis, Renew, Netherlands). The committees for Opinion are Foreign Affairs, Internal Market and Consumer Protection, Transport and tourism and Civil Liberties, Justice and Home Affairs.
On 13 April 2021 the Commission presented its proposal before the Parliament lead committee on Industry, Research and Energy (ITRE). Whereas the rapporteur presented on 26 May 2021 his draft report. The deadline for tabling amendments to the proposed directive was 2 June 2021. On 14 July 2021 the Consumer and transport committees published their opinion and on 15/07/2021 the Foreign affairs committee published their opinion on industry committee draft report. The ITRE committee voted its report on 28 October 2021. The report calls for tighter cybersecurity obligations in terms of risk management, reporting obligations and information sharing. It aims to lower the administrative burden and to improve cybersecurity incident reporting. In addition, the report states that EU countries would have to meet stricter supervisory and enforcement measures, and harmonise their sanctions regimes. The report also intends to broaden the sectorial scope to also include academic, knowledge and research institutions which had been left outside the scope of NIS2 by the Commission, while many national cybersecurity strategies cover them. The report was adopted by Parliament in its plenary of 22 November 2021 together with the decision to enter into interinstitutional negotiations.
The Council adopted its negotiating position on 3 December 2021. Compared to the initial proposal for NIS2, the Council has introduced a number of significant changes. For instance it has introduced additional criteria to determine the entities to be covered by NIS2, excluding from the scope entities operating in defence or national security, public security, law enforcement and the judiciary, as well as parliaments and central banks. It has aligned the text with other related proposed legislation, such as the Directive on the resilience of critical entities (CER Directive) and the proposed Regulation on digital operational resilience for the financial sector (DORA). It has also simplified the incident reporting obligations to avoid over-reporting; and has extended the period for Member States to transpose NIS2 into national law to two years, instead of 18 months.
Trilogue interinstitutional negotiations started on 13 January 2022 and on 17 February 2022, the second-round of trilogue negotiations took place. On Thursday 3 March, the rapporteur presented to the members of the ITRE committee the state of play of the trilogue negotiations. For instance Parliament negotiators are insisting on the need for clear and precise rules for companies and negotiators of the Parliament are against the exclusion of certain governmental or public bodies from the scope. Other aspects under discussion are among others the issue of the funding for cybersecurity centres and on the deadlines for transposing the directive into national law.
On 13 May 2022 Parliament and the Council reached a political agreement. The revised directive sets out minimum rules for a regulatory framework and lays down cooperation mechanisms among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and improves their enforcement. The directive will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordination and management of incidents. The directive will not apply to entities carrying out activities in areas such as defence or national security, public security, law enforcement and the judiciary. Parliaments and central banks are also excluded from the scope.
The political agreement was adopted by the ITRE committee on 13 July 2022 and by Parliament in its plenary of 10 November 2022 with 577 voix votes in favour, 6 against and 31 abstentions. The proposal was also adopted by the Council on 28 November 2022 and signed by both co-legislators on 14 December 2022. It was published in the Official Journal on 27 December 2022, and entered into force 20 days later. Member States now have 21 months after the entry into force of the directive to transpose it into national law.
References:
- European Commission, The EU's Cybersecurity Strategy for the Digital Decade, JOIN(2020) 18
- European Commission, Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2'),COM(2020) 823
- Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
- European Parliament, High common level of cybersecurity across the Union- NIS 2 Directive, 2020/0359(COD)
- Council, Proposal for a Directive for a high common level of cybersecurity across the Union, general approach, 26 November 2021
- European Economic and Social Committee, Opinion on the Cybersecurity and Resilience of Critical Entities, 27 April 2021, TEN/730-EESC-2020
Further reading:
- European Parliament, A high common level of cybersecurity – NIS2, Plenary At a glance briefing, EPRS, November, 2022
- European Parliament, The NIS2 Directive: A high common level of cybersecurity in the EU, legislative briefing, EPRS, June, 2022
- European Parliament, Directive on security of network and information systems (NIS Directive), Implementation appraisal briefing, EPRS, November 2020.
- European Parliament, Improving the common level of cybersecurity across the EU, Initial Appraisal of a European Commission Impact Assessment, EPRS, February 2021
Author: Maria del Mar Negreiro Achiaga, Members' Research Service, legislative-train@europarl.europa.eu