The Commission is undertaking an assessment of the Directive on Security of Network and Information Systems (NIS) one year ahead of schedule, applicable since 9 May 2018. On 25 June it published a roadmap combined with a preliminary impact assessment, which was submitted for seven weeks to the feedback mechanism.
Barely two years old
As a reminder, the NIS Directive 2016/1148 is the first horizontal internal market instrument to improve the resilience of networks and systems in the EU against cybersecurity risks (see EUROPE 11347/8). It requires operators of so-called essential services (in the field of health, banking, transport, etc.) or key services (search engines, online marketplaces, etc.) to report any major security incidents to the competent national authorities. It should have been assessed on 9 May 2021.
In its revised 2020 work programme, however, the Commission has chosen to speed up its work, particularly in view of the Covid-19 crisis which has highlighted the EU's dependence on information technology. It also notes in the roadmap that, while the 2016 Directive has had positive effects, it also comes with a series of implementation problems. “Member States have opted for very different approaches when implementing the Directive because of the minimum level of harmonisation and the identification procedure applicable to essential service operators, which leaves a wide margin of discretion to Member States”, says the Commission document, which therefore notes significant “inconsistencies” and “fragmentation” in the legal landscape.
Four working options
In its roadmap, the Commission therefore puts four options on the table: (1) the status quo, which leaves it to Member States to continue implementing the Directive as it stands; (2) non-legislative measures which could take the form of guidelines in the less harmonised areas, such as the identification of essential service operators; (3) targeted legislative changes to the current NIS Directive with the aim of clarifying certain provisions and improving the harmonisation of the current rules. In particular, the Commission could propose to modify certain definitions, to introduce more harmonised elements in the process of identifying operators of essential services, or to extend the scope of the Directive to other services or sectors; (4) the repeal of the 2016 Directive in order to propose new, more precise and detailed rules. The legislation that would replace it could streamline procedures, include new sectors or services and provide for new measures for information sharing.
The feedback mechanism is open until 13 August 2020.
Link to the roadmap: https://bit.ly/3eK9MBs (Original version in French by Sophie Petitjean)