The Network and Information Security (NIS) Directive (2016/1148/EU) was the first piece of EU-wide legislation on cybersecurity. Its specific aim was to achieve a high common level of cybersecurity across Member States.

According to the EU Parliament, while the NIS Directive increased Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market.

To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, in June 2022 the Commission submitted a proposal to replace the NIS Directive to strengthen security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU. The Commission said that the proposed expansion of the scope of NIS2, effectively obliging more entities and sectors to take measures, would assist in increasing the level of cybersecurity in Europe in the longer term.

The Council agreed its position on 3 December 2021. The co-legislators reached a provisional agreement on the text on 13 May 2022. The text has now been formally adopted by the EU Parliament.

The approved text sets tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions.

More entities and sectors will have to take measures to protect themselves. “Essential sectors” such as the energy, transport, banking, health, digital infrastructure, public administration and space sectors will be covered by the new security provisions.

The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation.

It also establishes a framework for better cooperation and information sharing between different authorities and Member States, and creates a European vulnerability database.

The Council of the EU must now formally adopt the text before it will be published in the Official Journal. To read the EU Parliament’s press release in full and for a link to the approved text, click here.