The Telecommunications Ministers of the EU Member States adopted a common position (‘general approach’) on Friday 3 December over the revision of the Directive on a common high level of cyber security in the EU (NIS 2) (see EUROPE 12842/3).
“The stakes are high and the new NIS 2 Directive will play a very important role in strengthening our cyber security. It will also demonstrate that Europe is a leader in cybersecurity legislation”, said Slovenian Minister of Public Administration Boštjan Koritnik.
The text, which has been supported by a very large majority of Member States, is intended to improve the EU's ability to deal with cyber security incidents and to enhance resilience through cooperation.
In the detail of the text, the list of entities falling within the scope of the text has been expanded to include specific areas, such as transport, which were not previously covered. In addition, the text also provides for a size criterion to be used as a way of providing a cap for defining which entities will fall within the scope. Under current EU rules, this burden falls on Member States.
In addition, certain entities will be excluded from the scope of application, for example, those active in the fields of defence or national security. Public administrations will be covered on a national scale. It will then be up to the Member States to decide whether or not to apply the text to local and regional governments.
However, some points will still need to be clarified in future inter-institutional negotiations.
“Our health system was attacked in May 2021 and we quickly realised that cooperation was vital. But we need to fine-tune all the wording. The NIS 2 Directive must be able to function on the ground and not be a source of friction in the future”, summarised the Irish Minister for eGovernment Ossian Smyth.
Avoiding administrative overloads
In public exchanges between ministers, the issue of administrative overload – and potential costs – also came up frequently.
“Broadening the scope places an additional burden on Member States. When you weigh up the pros and cons, you realise that you will have to put a figure on the costs”, said the German State Secretary for Digital and Innovation, Elisabeth Winkelmeier-Becker.
“As part of future discussions, it will be important not to impose disproportionate administrative burdens on Member States. I am particularly thinking of the smallest states that have limited resources”, added the Latvian Minister for Regional Development. Artūrs Toms Plešs.
In this respect, some countries such as Poland have called for a reflection on the implementation of a “financial mechanism” to “support national efforts”. “Without the required funding, the NIS 2 Directive will not work. It is up to Member States to ensure security, but this is a pan-European issue”, stressed Polish Undersecretary of State for Digital Affairs, Janusz Cieszyński.
On the other hand, a very large majority of Member States emphasised the need for them to retain a large degree of flexibility so that they could take account of national specificities and existing frameworks.
“The directive should not prevent Member States from taking certain necessary measures, for example to protect their national security”, insisted the Swedish Minister for Digital Development, Khashayar Farmanbar.
In the European Parliament, members of the Committee on Industry, Research and Energy (ITRE) adopted the draft report by Bart Groothuis (Renew Europe, the Netherlands) on 28 October on a common high level of cyber security (see EUROPE 12822/11). The European Parliament mandate for the negotiations was also adopted on the same day. (Original version in French by Thomas Mangin)