Council and European Parliament reach agreement

SW – 05/2022

According to the EU’s cyber-security strategy for the digital decade, "cyber-security is an integral part of keeping Europeans safe. People need to know that they are protected from cyber threats, whether it's networked devices, power grids or banks, aircraft, public administrations or even in hospitals that they use or visit."

However, cyber-security risks are changing and intensifying as digitising and networking progress. In order to improve the digital and physical resistance of critical facilities and networks such as those mentioned above, the European Commission presented its proposal for a directive about measures for a high common cyber-security level throughout the EU in December 2020 at the same time as it presented its cyber-security strategy. The Council and the European Parliament reached a provisional agreement on May 13. The new directive, called NIS 2, will replace the current 2016 NIS Directive (Network and Information Security Directive).

Eliminating differences within the member states

The objective of the NIS-2 directive is to protect against the effects of cyber attacks aimed at critical infrastructures. It should eliminate existing differences in member states' cyber-security requirements and how cyber-security measures are implemented. At the same time it will also establish minimum requirements for a legal framework and mechanisms for effective cooperation between the responsible authorities in the member states.

Expanded scope

The list of sectors and activities subject to cyber-security obligations will be updated. The NIS 2 Directive will introduce a threshold that includes all medium-sized and large companies operating in the sectors covered by the Directive or those that provide the type of services covered by the Directive. The provisional agreement between the Council and the European Parliament also includes provisions for ensuring proportionality, a higher risk management level and clear criticality criteria, i.e. criteria for determining which entities will be covered.

As public administrations are often the targets of cyber attacks, the NIS 2 Directive will also apply to these entities at both central and regional levels. The member states will also have the option to include appropriate institutions at the local level. Agencies or administrations in areas such as defence or national security, public safety, law enforcement and the judiciary will be excluded from this directive. Neither will parliaments and central banks be covered by the directive.

Next steps

The preliminary agreement reached must now be formally confirmed by the Council and the European Parliament. Member states must then implement the provisions stipulated in the directive in their national laws within 21 months of its coming into force.

Council conclusions about cyber defence

The Council also adopted the conclusions regarding how the EU's cyber defence will be developed at its meeting on May 23, 2022. The ministers highlighted five tasks for the EU in the cyber domain in their conclusions:

· strengthening resistance and protective capacities

· strengthening solidarity and comprehensive crisis management

· promoting the EU's cyberspace vision

· increasing cooperation with partner countries and international organisations

· preventing, defending against and responding to cyber attacks

The Council also invited the EC to propose common EU cyber-security requirements for connected devices and related processes and services as part of a legal cyber resistance act (see report 4-2022). This will take into account the need for a horizontal and holistic approach covering the entire service lives of digital products as well as existing legislation, especially with regard to cyber-security.