On 3 December, the Council agreed on its position on the proposal for a Directive on measures for high common level of cybersecurity across the Union (the “NIS2 Directive”). This follows the adoption of the Report on NIS2 by the European Parliament’s Committee on Industry, Research and Energy on 28 October 2021 (please see our previous newsletter).
To recall, the overall aim of the Commission’s proposal for a NIS2 Directive as of 16 December 2020 (which is sought to replace the current NIS Directive) is to remove divergences in cybersecurity requirements and to respond to the growing threats posed with digitalisation and the surge in cyber-attacks. To achieve this, the proposal follows a minimum harmonisation approach and expands the scope of the current NIS Directive, by obliging more entities and sectors to take measures (including for example social media platforms and the public administration). It also aims to strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU.
In summary, in its general approach the Council reacted to the concerns expressed during the discussions during the legislative process. One of the main concerns was the significant increase in the number of entities covered by the Directive, and, in particular, the introduction of the size-cap rule whereby basically all medium and large entities that operate within the sectors or provide the services covered by the NIS2 Directive fall within its scope. Other concerns related inter alia to the interaction of the NIS2 Directive with sectoral legislation, in particular, the Resilience of Critical Entities Directive (the “CER Directive”), which was proposed alongside the NIS2 proposal, and the initiative on the digital operational resilience act for the financial sector (the “DORA”).
The main changes introduced by the Council regarding the Commission’s proposal for a NIS2 Directive are as follows:
- Re-sharpening of the scope of the NIS2 Directive: The proposal keeps the general size-cap rule introduced by the Commission and include additional provisions to ensure the “necessary proportionality, a greater level of risk management and clear-cut criticality criteria for determining the entities that fall under the scope of the Directive”, as set out in the Council’s introduction to its proposal. Furthermore, the Council expands the scope of NIS2 obligations by including business-to-business ICT service management (covering managed service providers and managed security service providers) as a further type falling under the category of essential entities.Though, having generally welcomed this positive step, there has also been criticism from some industry associations. They highlight that this new category leaves out providers of software and firmware that support the critical functions performed by regulated entities and that frequently become an integral part of the networks and services delivered to European citizens and businesses. Considering the importance of the security of critical ICT supply chains, industry associations call upon the co-legislators to properly reflect the importance of supply chain security.To take into account the specifics of the national public administration frameworks and ensure a degree of flexibility for Member States, according to the Council’s position, the NIS2 Directive will apply to public administration entities of central governments while Member States may also establish that the Directive applies to public administration entities at regional and local level. In addition, the Council text also further clarifies the exclusion clause: the NIS2 Directive will not apply to entities that mainly carry out activities in the areas of defence, national security, public security, or law enforcement, or to activities concerning national security or defence. The judiciary, parliaments and central banks are also excluded.
- Alignment of the NIS2 Directive with the sectoral legislation: The Council text contains a dedicated article on sector-specific Union acts to provide legal clarity and ensure coherence between the NIS2 Directive and the sector-specific legislation, in particular the DORA and the CER Directive. This new article maintains the Commission’s initial approach that the NIS2 Directive should be the baseline for minimum harmonisation on cybersecurity, stipulating that where sector-specific Union legal acts require essential or important entities to adopt cybersecurity risk management measures or to notify significant incidents or cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive shall not apply to such entities. The Council has thereby clarified in its position what aspects should be considered when determining the equivalent effect of obligations set out in the sector-specific provisions of a Union legal act. This includes in particular that the cybersecurity risk management measures should consist of appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems, which the relevant entities use in the provision of their services, and should include as a minimum all the elements laid down in the NIS2 Directive.Regarding the interaction with the CER Directive, the Council text ensures greater clarity on the “all-hazard” approach. As threats to the security of network and information systems can have different origins, the Council text specifies that the NIS2 Directive applies an “all-hazard” approach. This approach includes the protection of network and information systems and their physical environment from any event such as theft, fire, flood, telecommunications or power failures, or from any unauthorised physical access and damage to and interference with the entity’s information and information processing facilities that could compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.
- Clarifications with respect to cybersecurity risk management obligations: Considering the aforementioned “all-hazard” approach, according to the Council’s position, the risk management measures should also address the physical and environmental security by including measures to protect the entity’s network and information systems from system failures, human error, malicious actions or natural phenomena in line with European or internationally recognised standards, such as those included in the ISO 27000 series. In this regard, entities should, as part of their risk management measures, also address human resources security, and have in place appropriate access control policies (such measures have been newly introduced by the Council’s proposal). Those measures should be thereby coherent with CER Directive.In addition, the Council text clarifies that, when assessing the proportionality of the technical and organisational measures, due account shall be taken of the degree of the entity’s exposure to risks, its size, the likelihood of occurrence of incidents and their severity. Having regard to the level and type of the risk posed to society in the event of incidents affecting essential or important entities, cybersecurity risk management measures imposed on important entities (e.g., operating in the sector waste management, manufacturing, digital providers) may be less stringent than those imposed on essential entities (e.g., operating in the sector energy, transport, health, digital infrastructure).Taking into account the cross-border nature of certain entities, the Council text also foresees an obligation of the Commission to adopt an implementing act that should facilitate the implementation of cybersecurity measures and subject certain entities (incl. inter alia cloud computing service providers, data centre service providers, content delivery network, and trust service providers) to a higher degree of harmonisation at Union level.
- Streamlining reporting obligations: The Council’s position maintains reporting obligations of the essential and important entities with respect to incidents having a significant impact on the provision of their services. Following concerns expressed by Member States that it would overburden entities covered by the NIS2 Directive and lead to over-reporting, the mandatory reporting for significant cyber threats to the competent authorities or the Computer Security Incident Response Teams (CSIRT) (that those entities identify and that could have potentially resulted in a significant incident) has been, however, excluded in the Council text.
- Clarifications with respect to jurisdiction: Member States have expressed concerns with the consequences of having a differentiated jurisdiction for entities in the ICT sector, as proposed by the Commission. Against this background, the Council text has clarified jurisdiction based on the type of entities.
The general approach reached on 3 December 2021 will allow the Council presidency to start negotiations with the European Parliament. Both the Council and the European Parliament will need to agree on the final text. Once it is adopted, Member States will have to transpose the NIS2 Directive into their national law. According to the Council text, Member States would have 24 months (and not 18 months as foreseen in the Commission’s proposal) from the entry into force of the directive to undertake such an incorporation.