EU law makers have reached a deal on proposed new legislation that promises to subject more organisations to cybersecurity requirements but ease reporting obligations around cyber incidents.
While precise details of what the draft new laws say have still to be published, high-level information about the second Network and Information Security Directive (NIS2) was made public after the European Parliament and Council of Ministers reached provisional agreement on the text late last week.
The existing NIS Directive came into effect in May 2018, setting cybersecurity requirements for ‘operators of essential services’ in core sectors of the economy like banking, energy, health and transport, and lighter touch cybersecurity duties for "digital service providers" – online marketplaces, online search engines and cloud computing service providers. Operators of essential services and digital service providers also face incident reporting duties.
Plans to expand the NIS regime to more organisations were set out by the European Commission in late 2020. The draft NIS2 included ‘size-cap’ rules that envisaged medium and large entities in the relevant sectors falling automatically within its scope.
In a statement, the Council of Ministers has now confirmed that the ‘size-cap’ rules have generally been retained in the revised NIS2 text its negotiators have provisional agreed with MEPs. However, it explained that not all medium and large entities will necessarily be subject to the updated framework, as the agreed text “includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for determining the entities covered”.
According to the Council, the updated NIS2 draft also includes “minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state”. Those measures are designed to “remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states”, it said.
Proposed incident reporting requirements have also been “streamlined … to avoid causing over-reporting and creating an excessive burden on the entities covered”, it said.
The NIS2 proposals envisage greater coordination over the management of large-scale cybersecurity incidents. To this end, the draft text provides for the establishment of the European Cyber Crises Liaison Organisation Network, EU-CyCLONe.
The Council said that the provisionally agreed legislation has also been aligned with sector-specific legislation, including the proposed new EU Digital Operational Resilience Act (DORA) that is set to take effect in the financial services sector.
Both the Council and the Parliament will have to formally adopt the NIS2 text for the draft legislation to become EU law. Once the legislation is in force, EU member states will have 21 months to implement it.