On Monday 13 September, the Slovenian Presidency of the Council of the European Union finalised the new version of the compromise text on the scope of the ‘NIS 2’ Directive (see EUROPE 12752/4), which is intended to promote greater harmonisation and a higher level of cyber security in the EU.
The Council Presidency emphasises the notion of size in particular in this document, a copy of which was obtained by EUROPE. While nothing changes in terms of the size limit for large entities, various changes have been introduced for medium-sized entities.
The text proposes that all large entities, entities that have been identified as critical, as well as public communication networks, trustworthy service providers or entities in a monopoly situation and providing essential services in a Member State should be considered as essential.
States could, on the basis of various criteria such as systemic risks or the impact that a disruption could have on security or public health, consider medium, small or micro entities as essential.
In order to ensure that small and micro entities meeting certain criteria indicating a key role for the economy or society are covered by the Directive, the Slovenian Presidency put forward the idea of a list drawn up by the Member States and forwarded to the European Commission, specifying their type, size and, where this is consistent with national security rules, their name.
More broadly, the Council Presidency also proposes that Member States establish national registration mechanisms for entities to ensure “a clear overview”.
“These registers should also include the public administration entities to which this directive applies”, the compromise document says.
Finally, while the principles of ex-ante and ex-post supervision of large and critical entities have been retained as they are, the EU Council’s approach introduces prioritisation and risk-based supervision.
This would allow competent authorities to prioritise and select the monitoring actions and means available to them, such as the number, frequency or type of on-site inspections or audits.
The various monitoring methods identified could be subject to regular evaluation and review, particularly with regard to resource allocation and needs.
See the compromise text: https://bit.ly/3loQyWw (Original version in French by Thomas Mangin)