Cyber-security for critical facilities and networks
Council and European Parliament reach agreement
SW – 05/2022
According
to the EU’s cyber-security strategy for the digital decade, "cyber-security
is an integral part of keeping Europeans safe. People need to know that they
are protected from cyber threats, whether it's networked devices, power grids
or banks, aircraft, public administrations or even in hospitals that they use
or visit."
However,
cyber-security risks are changing and intensifying as digitising and networking
progress. In order to improve the digital and physical resistance of critical
facilities and networks such as those mentioned above, the European Commission
presented its proposal for a directive about measures for a high common
cyber-security level throughout the EU in December 2020 at the same time as it
presented its cyber-security strategy. The Council and the European Parliament
reached a provisional agreement on May 13. The new
directive, called NIS 2, will replace the current 2016 NIS Directive (Network
and Information Security Directive).
Eliminating differences within the member states
The
objective of the NIS-2 directive is to protect against the effects of cyber attacks
aimed at critical infrastructures. It should eliminate existing differences in
member states' cyber-security requirements and how cyber-security measures are
implemented. At the same time it will also establish minimum requirements for a
legal framework and mechanisms for effective cooperation between the
responsible authorities in the member states.
Expanded scope
The list
of sectors and activities subject to cyber-security obligations will be
updated. The NIS 2 Directive will introduce a threshold that includes all
medium-sized and large companies operating in the sectors covered by the
Directive or those that provide the type of services covered by the Directive.
The provisional agreement between the Council and the European Parliament also
includes provisions for ensuring proportionality, a higher risk management
level and clear criticality criteria, i.e. criteria for determining which
entities will be covered.
As
public administrations are often the targets of cyber attacks, the NIS 2
Directive will also apply to these entities at both central and regional
levels. The member states will also have the option to include appropriate
institutions at the local level. Agencies or administrations in areas such as
defence or national security, public safety, law enforcement and the judiciary
will be excluded from this directive. Neither will parliaments and central
banks be covered by the directive.
Next steps
The
preliminary agreement reached must now be formally confirmed by the Council and
the European Parliament. Member states must then implement the provisions
stipulated in the directive in their national laws within 21 months of its
coming into force.
Council conclusions about cyber defence
The
Council also adopted the conclusions regarding how the EU's
cyber defence will be developed at its meeting on May 23, 2022. The ministers
highlighted five tasks for the EU in the cyber domain in their conclusions:
· strengthening
resistance and protective capacities
· strengthening
solidarity and comprehensive crisis management
· promoting
the EU's cyberspace vision
· increasing
cooperation with partner countries and international organisations
· preventing, defending
against and responding to cyber attacks
The
Council also invited the EC to propose common EU cyber-security requirements
for connected devices and related processes and services as part of a legal
cyber resistance act (see report 4-2022). This will take into account the need for a
horizontal and holistic approach covering the entire service lives of digital
products as well as existing legislation, especially with regard to
cyber-security.