On Friday 3 December, the Telecommunications Ministers of the EU Member States will be invited to adopt their position (‘General Approach’) on measures to ensure a high common level of cybersecurity throughout the EU (NIS 2) (EUROPE 12823/11).
In response to concerns expressed by several Member States during the drafting of the different versions of the compromise text, several points have been clarified.
Several Member States had expressed concerns about what they considered to be a “significant” increase in the number of entities covered by the scope of the NIS 2 Directive.
The general rule, based on the introduction of the size criterion for medium and large entities, has been retained, but additional provisions have been introduced to make it clearer which entities are covered by the Directive.
In addition, the inclusion of public administration in the scope had also been subject to debate. The approach in the text is now based on the fact that the NIS 2 Directive will apply to entities that are part of “central” governments. It will be up to the Member States to decide whether to apply the Directive to local and regional authorities.
Removal of the obligation to report cyber threats
The EU Council Presidency also listened to the wishes of several Member States regarding the clarification of the exclusion clauses for entities active in the field of defence or national security.
For example, the text states that the Directive does not apply to entities which carry out their activities - “exclusively or otherwise” - in the fields of defence or national security. Entities active in the fields of national security, law enforcement and justice are also excluded from the scope, as are parliaments and central banks.
In the face of opposition from Member States to the European Commission’s introduction of mandatory peer review, the text, which will be submitted to the relevant ministers on 3 December, proposes that this process should be based on “mutual trust” and be the result of a “voluntary process” on the part of governments.
Finally, the obligation to report significant cyber threats was excluded from the compromise text, as Member States feared that the entities concerned would be “overburdened”.
In the European Parliament, the members of the Committee on Industry, Research and Energy (ITRE), which is responsible for the dossier, adopted on 28 October the text proposed by Dutch MEP Bart Groothuis (Renew Europe) (see EUROPE 12822/11).
MEPs also voted the same day to open negotiations with the EU Council. The European Parliament’s negotiating mandate was announced in plenary session on 10 November.
See the document: https://bit.ly/3D1VhnR (Original version in French by Thomas Mangin)