The European Council and the European Parliament have agreed on measures for a high common level of cybersecurity across the EU (the “NIS2”).
Once adopted, NIS2 will replace the current Directive on Security of Network and Information Systems (“NIS Directive”). NIS2 will introduce a number of changes, including bringing more sectors and services under the scope of the NIS rules and introducing an updated (and more stringent) regime of security obligations and incident notice requirements (see our previous blog for further details of the proposals). Although the agreed text of NIS2 has not yet been published, the European Council have issued a statement setting out a high-level summary of some of the key areas of agreement:
- Risk and incident management and cooperation – NIS2 will update the list of sectors and activities subject to cybersecurity obligations and provide for remedies and sanctions to ensure enforcement. It will set out minimum rules for a regulatory framework and lays down mechanisms for cooperation among relevant authorities in each Member State. In addition, NIS2 will formally establish the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), which will support the coordinated management of large-scale cybersecurity incidents.
- Widening the scope of the rules – While under the NIS Directive, Member States have a margin of appreciation when determining which entities meet the criteria to qualify as operators of essential services, under the new NIS2, a uniform criterium – the ‘size-cap rule’ – would determine which entities are caught. While the European Parliament and the Council have confirmed that the general ‘size-cap’ rule has been maintained, the agreed text “includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for determining the entities covered”.
The European Parliament and the Council have also confirmed that NIS2 will not apply to entities carrying out activities in areas such as defence or national security, public security, law enforcement and the judiciary. Parliaments and central banks are also excluded from the scope. However, NIS2 will apply to public administration entities at central and regional level and Member States can decide whether to apply it to these entities at local level.
- Sector specific legislation – the European Parliament and the Council have aligned the text of NIS2 with sector-specific legislation, including the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), with the aim of ensuring coherence between NIS2 and these acts.
Proposed incident reporting obligations have also been “streamlined … in order to avoid causing over-reporting and creating an excessive burden on the entities covered”.
The provisional agreement is now subject to approval by the Council and the European Parliament. Once adopted, Member States will have 21 months to transpose NIS2 in national law.
For further information, please get in touch with your usual DLA Piper contact or email us at firstname.lastname@example.org.