Negotiators from the Council of the EU and the European Parliament reached a provisional political agreement on the revision of the NIS Directive, which aims to ensure a high level of cyber security throughout the EU, after several hours of discussion in a final round of interinstitutional negotiations (‘trilogues’) on Thursday 12 May. The future ‘NIS 2’ directive (see EUROPE 12903/18) should, among other things, increase the capacity to respond to cyber security incidents in the public and private sectors.
“Cyber threats have become bolder and more complex. It was imperative to adapt our security framework to the new realities and to ensure that our citizens and our infrastructure are protected”, said Internal Market Commissioner Thierry Breton.
“This is another important breakthrough in our European Digital Agenda, this time to ensure the protection of citizens and businesses and trust in essential services”, added European Commission Vice-President Margrethe Vestager, who is responsible for a Europe fit for the Digital Age.
In concrete terms, the provisional agreement on the new ‘NIS 2’ directive first of all extends the scope of the text. Until now, it has been up to the Member States to determine which entities should qualify as essential services. In the future, the directive will introduce a rule that all medium and large entities from the sectors covered by the Directive or providing services within its scope will fall within the scope of the directive.
However, the text provides for several exceptions, in order to ensure the principle of proportionality and the focus on critical entities.
The question of the non-application of the directive to certain sectors, which was debated for a long time, was also decided by the co-legislators. Thus, actors in the fields of defence, national security, public security, law enforcement and the judiciary will not be obliged to comply with the rules of the directive, nor will central banks and parliaments.
However, the text provides that the energy, health, transport and digital infrastructure sectors, or companies active in the latter sector, will be subject to the rules of the ‘NIS 2’ directive as originally planned.
Room for manoeuvre for Member States in certain areas
Furthermore, the text states that the directive will apply in the Member States at national and regional level. Member States will have flexibility and can choose whether the directive should be applied at local level.
In addition to updating the sectors, activities and actors falling within its scope, the new text also introduces a new regime of remedies and sanctions for non-compliance.
In addition, the implementation of the ‘NIS 2’ Directive will also mark the formal establishment of the European network for crisis preparedness and management in cyberspace, which should serve to develop cooperation and “coordinated management” of major incidents.
Finally, several other changes were made by the co-legislators over the course of the trilogues. Thus, the text incorporates the - voluntary - mechanism of peer learning. This exchange of best practice and experience should increase mutual trust between Member States and the various stakeholders.
The reporting obligations, as foreseen in the European Commission’s original proposal, have also been revised in order not to cause an ‘over-reporting’ effect, which would de facto lead to a significant workload for the entities concerned.
Finally, the text also specifies the deadline for transposition into the national law of the Member States. This period, which was also discussed, was set at 21 months from the entry into force of the text. (Original version in French by Thomas Mangin)