Insights Council of European Union adopts new Security of Network and Information Systems Directive (NIS2)

Contact

The Council has adopted NIS2, which replaces the Security of Network and Information Systems Directive (2016/1148/EU) (NIS Directive), to ensure a high common level of cybersecurity across the Union and further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.

The Council says that NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors covered by the Directive, such as energy, transport, health and digital infrastructure.

The revised Directive aims to harmonise cybersecurity requirements and the implementation of cybersecurity measures in different Member States. It sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each Member State. It also updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement.

NIS2 will formally establish the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), which will support the coordinated management of large-scale cybersecurity incidents and crises within the EU.

While under the old NIS Directive Member States were responsible for determining which entities would meet the criteria to qualify as operators of essential services, NIS2 introduces a general “size” rule to identify regulated entities. This means that all medium-sized and large entities operating within the sectors or providing services covered by NIS2 will fall within its scope. However, the text also includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria to allow national authorities to identify additional entities that might also be covered.

NIS2 also clarifies that it will not apply to entities in areas such as defence or national security, public security, and law enforcement. Judiciary, parliaments, and central banks are also excluded from the scope.

NIS2 will also apply to public administrations at central and regional level. In addition, Member States may decide that it applies to such entities at local level too.

NIS2 has been aligned with sector-specific legislation, in particular the Regulations on digital operational resilience for the financial sector (DORA) and the Directive on the resilience of critical entities (CER), to provide clarity and ensure coherence between them.

NIS2 also contains a voluntary peer-learning mechanism to increase mutual trust and learning from good practices and experiences in the Union.

The new legislation also streamlines reporting obligations to avoid over-reporting and creating excessive burdens on entities in scope.

The text of NIS2 will be published in the Official Journal of the EU in the coming days and will enter into force on the twentieth day following publication. Member states will then have 21 months in which to incorporate the provisions into their national law. To read the Council’s press release in full and for links to the NIS2 text, click here.