EU Council of Ministers agrees position on ‘NIS2’ cyber law

The proposed reforms will update the EU’s Networks & Information Systems directive (NIS), first adopted in 2016, which required cross-border collaboration on cybersecurity, and set a benchmark for member states’ national safeguards.

The EU says the revised directive, known as ‘NIS2’, will remove “divergences in cybersecurity requirements” between member states, setting out minimum rules for a regulatory framework and providing “remedies and sanctions” to ensure its enforcement.

Like NIS, the new directive will apply primarily to operators of essential services, including transport, energy, water, banking and healthcare.

While member states are currently responsible for determining which organisations qualify as essential services operators, NIS2 would introduce a size-cap rule meaning that all medium and large entities in the relevant sectors would automatically fall within its scope.

The text of the Council’s agreed ‘general approach’ (150-page/ 1.08MB PDF), however, clarifies that NIS2 will not apply to entities carrying out activities in areas like defence or national security, public security, law enforcement and the judiciary.

Parliaments and central banks would also be exempt from NIS2’s scope, though the public administration arms of central governments would not.

Member states would be left to decide whether NIS2 applies to the public administration of their regional and local governments too.

The Council also reduced the directive’s reporting obligations in order to avoid causing “over-reporting and creating an excessive burden on the entities covered”.

EU nations would have two years from NIS2 taking force in which to incorporate the provisions into their domestic law, according to the Council’s text.

NIS2 will also formally establish the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), which will coordinate the bloc’s management of large-scale cyberattacks.

Stuart Davey, cybersecurity expert at Pinsent Masons, said: “One of the main EU-based criticisms of the original NIS directive was the disparate manner in which it was implemented across the EU.”

“While NIS2 is not a regulation – and therefore there remains scope for continued divergence – the introduction of minimum rules will start to narrow down those areas of divergence,” he added.

“That, and the introduction of a broader framework for EU level cooperation, is likely to increase the ability for EU member states to coordinate responses to cross border incidents.”

“It remains to be seen the extent to which any of the changes in NIS2 impact upon the UK, at least in the short term,” Davey said.

“The UK government completed a legislative review of the 2018 NIS regulations last year. It will continue to review them every five years, meaning the next post-implementation review isn’t for another three-odd years.”

“The UK government has expressed a preference for NIS to remain flexible, to adapt to changing circumstances and allow competent authorities to tailor their respective approaches to regulation,” he added.

Agreement over its general approach to NIS2 will allow the Council’s presidency to begin negotiations with the European Parliament next year.

Both the Council and the European Parliament will need to agree to the detail of the final text.