On 29 January 2020, the European Commission’s new work programme was published. Under the second priority – ‘A Europe fit for the digital age’, the Commission announced its intention to launch a review of the Directive on security of network and information systems (NIS Directive), in order to ‘further strengthen overall cybersecurity in the Union’. According to the adjusted work programme, the review should be adopted in the last quarter of 2020.

The current Directive on security of network and information systems entered into force in August 2016. Member States had to transpose it into their national laws by 9 May 2018. The directive lays down requirements regarding national cybersecurity capabilities of Member States; rules for their cross-border cooperation; and requirements regarding national supervision of operators of essential services and key digital service providers.

The Commission launched on 7 July 2020 a public consultation on the revision of the NIS Directive that aims to collect views on its implementation and on the impact of potential future changes. The consultation closed on 2 October 2020.

On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy that aims to bolster Europe’s collective resilience against cyber threats and ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools. Accordingly, The Commission made two new proposals: a Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2′), and a new Directive on the resilience of critical entities.

The NIS Directive has increased the EU national cybersecurity capabilities, requiring Member States to elaborate a National Cybersecurity strategy, to establish Computer Security Incident Response Teams (CSIRTs) and to appoint NIS national competent authorities, improving the cyber resilience of public and private entities in specific sectors and across digital services. However, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. In order to respond to the growing threats due to digitalization and increase in cyberattacks, the proposed revised NIS Directive NIS 2 repeals the existing NIS Directive.

The new proposal broadens its scope, aiming to strengthen the security requirements imposed, addressing security of supply chains, streamlining reporting obligations, introducing more stringent supervisory measures and stricter enforcement requirements including harmonised sanctions regimes across Member States. It also includes proposals for information sharing and cooperation on cyber crisis management at national and EU level. The proposed expansion of the scope covered by the NIS2 would effectively oblige more entities and sectors to take measures, increasing the level of cybersecurity in the EU longer term.

The ITRE committee voted its report on 28 October 2021. The report calls for tighter cybersecurity obligations in terms of risk management, reporting obligations and information sharing. It aims to lower the administrative burden and to improve cybersecurity incident reporting. In addition, the report states that EU countries would have to meet stricter supervisory and enforcement measures, and harmonise their sanctions regimes.

The Council adopted its negotiating position on 3 December 2021. Compared to the initial proposal for NIS2, the Council has introduced a number of significant changes. For instance it has introduced additional criteria to determine the entities to be covered by NIS2, excluding from the scope entities operating in defence or national security, public security, law enforcement and the judiciary, as well as parliaments and central banks. It has aligned the text with other related proposed legislation, such as the Directive on the resilience of critical entities (CER Directive) and the proposed Regulation on digital operational resilience for the financial sector (DORA). It has also simplified the incident reporting obligations to avoid over-reporting; and has extended the period for Member States to transpose NIS2 into national law to two years, instead of 18 months. 

It is expected that trilogue interinstitutional negotiations will start soon on 2022. RELINK cybersecurity consultants has specialized within NIS1-2 transition as the largest transformation within IT security since this domain started.