The NIS 2 Directive

What is the NIS 2 Directive?

The NIS 2 Directive (Directive (EU) 2022/2555) is a legislative framework designed to enhance cybersecurity across the European Union by establishing a high common level of security for network and information systems. It builds upon the original NIS Directive, expanding its scope and strengthening requirements to better address evolving cyber threats.

Under NIS 2, essential and important entities must adopt appropriate, proportionate technical, operational, and organizational measures to manage cybersecurity risks. These measures aim to protect network and information systems, as well as to prevent or minimize the impact of incidents on service recipients and interconnected services.

The directive mandates an "all-hazards" approach, meaning that entities must be prepared to address a wide range of threats, from cyberattacks to physical disruptions, ensuring comprehensive protection and resilience in their operations.


7 November 2024: Commission Implementing Regulation (EU) 2024/2690 of 17 October is published at the Official Journal of the European Union

Full name: COMMISSION IMPLEMENTING REGULATION (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.

According to Article 1 (Subject matter), this Regulation, with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers (the relevant entities) lays down the technical and the methodological requirements of the measures referred to in Article 21(2) of Directive (EU) 2022/2555 and further specifies the cases in which an incident shall be considered to be significant as referred to in Article 23(3) of Directive (EU) 2022/2555.

According to Article 16 (Entry into force and application), this Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

The official text:

https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj


7 November 2024: ENISA is inviting industry stakeholders to provide comments on Commission Implementing Regulation (EU) 2024/2690 of 17 October

ENISA is developing technical guidance to support EU Member States and entities with the implementation of the technical and methodological requirements of the NIS 2 cybersecurity risk-management measures outlined in the Commission Implementing Regulation (EU) 2024/2690 of 17.10.2024.

ENISA develops this technical guidance to provide:

- Additional advice and tips on what to consider when implementing a requirement and further explanation about concepts and terms used in the legal text;

- Examples of evidence, which could be used to asses if a requirement has been met;

- Tables, mapping the security requirements in the Implementing Regulation to European and international standards, as well as national frameworks.

The draft of the technical guidance is now available for industry consultation:

https://www.enisa.europa.eu/publications/implementation-guidance-on-nis-2-security-measures


17 October 2024: The Commission adopted the first implementing regulation on NIS 2 Directive.

The implementing regulation will apply to specific categories of companies providing digital services, such as cloud computing service providers, data centre service providers, online marketplaces, online search engines and social networking platforms, to name a few. For each category of service providers, the implementing act also specifies when an incident is considered significant.

The full name is:

COMMISSION IMPLEMENTING REGULATION (EU) of 17.10.2024 laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.

Next Steps: The implementing regulation will be published in the Official Journal in due course and enter into force 20 days thereafter.

https://digital-strategy.ec.europa.eu/en/library/nis2-commission-implementing-regulation


17 October 2024: NIS 2 Directive, Deadline for EU Member States

Under Article 41 (Transposition) of the NIS 2 Directive, by 17 October 2024, all EU Member States are required to adopt and publish the national measures necessary to ensure compliance with the directive. These measures are critical for aligning national legislation with the enhanced cybersecurity requirements introduced by NIS 2.

Following the adoption, these measures must be enforced starting from 18 October 2024, marking the beginning of a new era in cybersecurity across the EU.

Many Member States have faced delays in transposing the directive into national law. This has raised concerns about the uniform implementation of the directive’s provisions and the readiness of essential and important sectors to comply with enhanced cybersecurity requirements.


December 2022 - the NIS 2 Directive was published in the Official Journal of the European Union as Directive (EU) 2022/2555.

Full name: The full name is "Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)".


Which is correct? NIS 2 or NIS2?

NIS 2 is the correct name, as this is the name published at the Official Journal of the European Union.


NIS 2 or NIS2?

The name NIS2 has also been used in official documents.


Deadlines: By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive.

They shall apply those measures from 18 October 2024.

Directive (EU) 2016/1148 (the NIS Directive) is repealed with effect from 18 October 2024.

By 17 July 2024 and every 18 months thereafter, EU-CyCLONe shall submit to the European Parliament and to the Council a report assessing its work.

By 17 October 2024, the Commission shall adopt implementing acts laying down the technical and the methodological requirements of the measures with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.

The Cooperation Group shall, on 17 January 2025, establish, with the assistance of the Commission and ENISA, and, where relevant, the CSIRTs network, the methodology and organisational aspects of peer reviews with a view to learning from shared experiences, strengthening mutual trust, achieving a high common level of cybersecurity, as well as enhancing Member States’ cybersecurity capabilities and policies necessary to implement this Directive. Participation in peer reviews is voluntary. The peer reviews shall be carried out by cybersecurity experts. The cybersecurity experts shall be designated by at least two Member States, different from the Member State being reviewed.

By 17 April 2025, Member States shall establish a list of essential and important entities as well as entities providing domain name registration services. Member States shall review and, where appropriate, update that list on a regular basis and at least every two years thereafter.

By 17 April 2025 and every two years thereafter, the competent authorities shall notify the Commission and the Cooperation Group of the number of essential and important entities for each sector.

By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive, and report to the European Parliament and to the Council.


Important obligations: According to Article 20 (Governance), the management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation and "can be held liable for infringements."

According to Article 20, Member States shall ensure that the "members of the management bodies of essential and important entities are required to follow training," and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

According to Article 21 (Cybersecurity risk-management measures), essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

Taking into account the "state-of-the-art" and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.

The measures shall be based on an "all-hazards approach" that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include "at least" the following:

(a) policies on risk analysis and information system security;

(b) incident handling;

(c) business continuity, such as backup management and disaster recovery, and crisis management;

(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

(g) basic cyber hygiene practices and cybersecurity training;

(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i) human resources security, access control policies and asset management;

(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.


Important note for Non-EU entities: Under Article 26 (Jurisdiction and territoriality), if an entity referred to in paragraph 26.1.(b) ("DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms") is not established in the EU, but offers services within the EU, it shall designate a representative in the EU. The representative shall be established in one of those Member States where the services are offered. Such an entity shall be considered to fall under the jurisdiction of the Member State where the representative is established. In the absence of a representative, any Member State in which the entity provides services may take legal actions against the entity for the infringement of this Directive.


July 24, 2024 – The first report on the cybersecurity and resilience of Europe’s telecommunications and electricity sectors.

The Council, in its Conclusions on the development of the European Union’s cyber posture of 23 May 2022, invited the Commission, the High Representative and the NIS Cooperation Group, in coordination with relevant civilian and military bodies and agencies and established networks, including the EU CyCLONe, to conduct a risk evaluation and build risk scenarios from a cybersecurity perspective in a situation of threat or possible attack against Member States or partner countries and present them to the relevant Council bodies.

The report puts forward a number of recommendations across 4 areas for improvement, including the recommendation that Member States conduct further self-assessments for the sectors as per the NIS 2 Directive and CER Directive.

The scenarios are very interesting, in a Europe that is preparing for hybrid warfare. Below we can read one of these scenarios in the report:

Risk Scenario

Context

In the context of ongoing military operations, a state sponsored cyberwarfare group is engaged in the delivery of targeted simultaneous attacks against several power plants connected on a country’s power grid leveraging a recently developed wiper and a range of zero-days vulnerabilities and backdoors in wind turbines, solar panels and electric cars.

Technical

The cyberwarfare group was able to leverage a zero-day vulnerability in a product used by multiple power plants in the EU to gain foothold to their IT environments. From there, the group leveraged the lack of adequate IT/OT network segregation wherever applicable, to move laterally to OT networks where it deployed its custom-made wiper malware.

At the same time, the well-resourced group exacerbates the attack by targeting back-up options.

At first, all wind turbines are being shut off during windy conditions by leveraging a backdoor in a critical component that was manufactured in a third country that (indirectly) supports the cyberwarfare group’s cause. The same then happens for solar panels produced within the third country. Finally, some electric cars start drawing more from the grid than they should, further increasing the load on the grid.

Impact

As a result of the activity of the wiper on the affected power plants, several OT systems are rendered unavailable. This keeps much of the generation off-the-grid, thus impacting the management and operation of the energy system by the transmission network operator of the country. This results in forced rolling blackouts which are worsened by the unavailability of backup generation from wind farms.

The resetting and commissioning of the affected OT systems lasts up to two weeks, by when the situation is fully back to normal. Additionally, though most or all Member States were affected, those who are heavily dependent on wind or solar energy as a secondary source might have to request support from other Member States while they are dealing with their own situation. This requires effective cooperation at EU level.

The rolling blackouts may also cause additional multi-sectoral cascading effects and potentially black starts in several countries. Public rail and road systems (e.g., bus and rail schedules, train operations, signalling systems or track switches) that are successfully disrupted, would be in some cases paralysed. Public administration would likely cease most of its operations for the days of the total blackout, except for emergency services.

The impact of the power outages on the health system would be far-reaching and result in an increased need for emergency care. With limited power and reliance on generators, hospital services are immediately reduced and healthcare facilities are often not able to provide basic services. Payment systems would also be severely affected, with significant consequences for the retail sector where particularly access to food could pose a major problem.


July 12, 2024 – The Artificial Intelligence Act was published in the Official Journal of the European Union.

The AI Act is very important for experts implementing the NIS 2 Directive and the Critical Entities Resilience Directive (CER, Directive (EU) 2022/2557).

According to Article 9.10 of the AI Act: “For providers of high-risk AI systems that are subject to requirements regarding internal risk management processes under other relevant provisions of Union law, the aspects provided in paragraphs 1 to 9 may be part of, or combined with, the risk management procedures established pursuant to that law.”


NIS 2 and the AI Act, common implementation examples:

a. Risk Management. NIS 2 emphasizes risk management processes, requiring organizations to implement measures to prevent and mitigate cybersecurity incidents. The AI Act focuses on risk management for AI systems, including cybersecurity, testing, documentation, and mitigation strategies.

b. Incident Reporting and Response. NIS 2 requires entities to report significant cybersecurity incidents within 24 hours. The AI Act includes provisions for monitoring and reporting cybersecurity incidents related to AI systems.

c. Governance and Accountability. NIS 2 establishes clear responsibilities for senior management in ensuring compliance with cybersecurity measures and reporting. The AI Act asks for robust governance frameworks, including accountability mechanisms and documentation practices to demonstrate compliance.

d. Data Protection and Security. NIS 2 stresses the importance of securing network and information systems to protect data integrity, availability, and confidentiality. The AI Act requires high-risk AI systems to incorporate measures ensuring data quality and data governance.


Is data poisoning (as described in the Artificial Intelligence Act) an important challenge for experts implementing the NIS 2 Directive too?

Data poisoning is a form of attack on machine learning (ML) systems where adversaries intentionally manipulate the training data to influence a model's behavior.

Backdoor Attacks are data poisoning attacks where adversaries manipulate the training data to embed a hidden backdoor within the model. This backdoor remains dormant during normal operations but activates in the presence of a specific trigger, leading to malicious behavior.

Example 1: AI-based spam filters are advanced systems designed to detect and block unwanted email messages, using artificial intelligence and machine learning techniques. These filters analyze various attributes and patterns within emails to determine their likelihood of being spam or unwanted. By poisoning the training data of spam filters and introducing specific words or patterns as safe, adversaries can bypass detection and conduct phishing attacks or deliver malware.

Example 2: AI-based Intrusion Detection Systems (IDS) are designed to identify and respond to potential security threats within a network by analyzing data and recognizing patterns indicative of malicious activities. If an AI-based IDS is trained with mislabeled data (poisoned data), and actual threats are labeled as safe, the IDS would fail to detect and alert on real attacks, allowing cybercriminals to bypass defenses.

Example 3: AI-based surveillance systems utilize AI and machine learning technologies to monitor, analyze, and interpret data from various sensors and cameras. These systems are designed to detect and respond to potential security threats in real-time by automatically recognizing patterns, identifying anomalies, and alerting security personnel to suspicious activities.

In AI data poisoning attacks, adversaries alter sensor data in AI-based surveillance systems to hide certain activities. Data poisoning corrupts the learning process of machine learning models by introducing poisoned data during the training phase. This causes the models to learn incorrect patterns, leading to faulty decision-making during real-time surveillance. By disabling alerts when certain patterns are detected, attackers can bypass systems and exfiltrate data without raising alarms.


In cases where AI systems are used in sectors covered by NIS 2 (e.g., healthcare, energy etc.), entities must comply with both, NIS 2 and the AI Act. They must leverage cybersecurity measures to support AI risk management and vice versa. These entities need a holistic approach to compliance, integrating cybersecurity and AI risk management practices.

We have developed the Artificial Intelligence Act Trained Professional (AIActTPro) program. You can find all the details about the program at: https://www.artificial-intelligence-act.com/Artificial_Intelligence_Act_Trained_Professional_(AIActTPro).html .


16 April 2024 – The European Systemic Risk Board (ESRB) published the paper “Advancing macroprudential tools for cyber resilience – Operational policy tools, April 2024.”

According to the paper, the pan-European systemic cyber incident coordination framework (EU-SCICF) should build on the Digital Operational Resilience Act (DORA) for the financial sector and should complement existing frameworks (e.g. financial and cyber incident) as well as the Network and Information Security (NIS2) Directive and the Resilience of Critical Entities Directive (CER).

Read the paper at: Advancing macroprudential tools for cyber resilience – Operational policy tools, April 2024


NIS2 DORA CER

18 September 2023 - Commission Guidelines about the relationship between the NIS 2 Directive and the Digital Operational Resilience Act (DORA).

The Commission Guidelines on the application of Article 4 (1) and (2) of the NIS 2 Directive, that was published at the Official Journal of the European Union the 18th of September 2023, covers some of the major areas of concern for entities that try to understand if they must comply with the NIS 2 Directive, or the Digital Operational Resilience Act (DORA) and other sector-specific Union legal acts.

Article 4(1) of the NIS 2 Directive provides that, where sector-specific Union legal acts (like DORA, that applies in the financial sector) require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, and where those requirements are at least equivalent in effect to the obligations laid down in the NIS 2 Directive, the relevant provisions of the NIS 2 Directive shall not apply to such entities. The sector-specific provisions will apply.

That provision further provides that where sector-specific Union legal acts do not cover all entities in a specific sector falling within the scope of the NIS 2 Directive, the relevant provisions of the NIS 2 Directive shall continue to apply to the entities not covered by those sector-specific Union legal acts.

Article 4(2)(a) of the NIS 2 Directive provides that cybersecurity risk-management measures that essential or important entities are required to adopt under sector-specific Union legal acts shall be considered to be equivalent in effect to the obligations laid down in the NIS 2 Directive, where those measure are at least equivalent in effect to those laid down in Article 21(1) and (2) of the NIS 2 Directive.

When assessing whether the requirements in a sector-specific Union legal act on cybersecurity risk-management measures are at least equivalent in effect to those laid down in Article 21(1) and (2) of the NIS 2 Directive, the requirements in that sector-specific Union legal act should, at a minimum, correspond to the requirements of those provisions or go beyond them, meaning that the sector-specific provisions may be more granular on substance compared to the corresponding provisions of the NIS 2 Directive.

An important consideration when assessing the equivalence of a sector-specific Union legal act with the requirements of Article 21(1) and (2) of the NIS 2 Directive is that the cybersecurity risk-management measures required by the sector-specific Union legal act should be based on an ‘all-hazard approach’.

Since threats to the security of network and information systems could have different origins, any type of event can have a negative impact on the network information systems of the entity and potentially lead to an incident. Therefore, the cybersecurity risk-management measures taken by the entity should protect not only the entity’s network and information systems, but also the physical environment of those systems from any event such as sabotage, theft, fire, flood, telecommunication or power failures, or unauthorised physical access that are capable of compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.

Consequently, the cybersecurity risk-management measures required by a sector-specific Union legal act should specifically address the physical and environmental security of network and information systems from systems failure, human error, malicious acts, or natural phenomena.


NIS 2 and DORA.

The Commission Guidelines about the relationship between the NIS 2 Directive and the Digital Operational Resilience Act (DORA) of 18 September 2023, further explain the following in the Appendix:

Article 1(2) of DORA provides that, in relation to financial entities covered by the NIS 2 Directive and its corresponding national transposition rules, DORA shall be considered a sector-specific Union legal act for the purposes of Article 4 of the NIS 2 Directive.

This statement is mirrored in recital (28) of the preamble to the NIS 2 Directive, which says that DORA should be considered a sector-specific Union legal act in relation to the NIS 2 Directive with regard to financial entities.

Consequently, the provisions of DORA relating to information and communication technology (ICT) risk management (Article 6 et seq.), management of ICT-related incidents and, in particular, major ICT-related incident reporting (Article 17 et seq.), as well as on digital operational resilience testing, (Art 24 et seq.) information-sharing arrangements (Article 25) and ICT third-party risk (Article 28 et seq.) shall apply instead of those provided for in the NIS 2 Directive.

Member States should therefore not apply the provisions of the NIS 2 Directive on cybersecurity risk-management and reporting obligations, and supervision and enforcement, to financial entities covered by DORA.


November 28, 2022 - the Council adopts the NIS 2 Directive.

The NIS 2 Directive replaces and repeals the NIS Directive (Directive 2016/1148/EC). NIS 2 will improve cybersecurity risk management and will introduce reporting obligations across sectors such as energy, transport, health and digital infrastructure.

Next step: The directive will be published in the Official Journal of the European Union in the coming days, and will enter into force on the twentieth day following this publication.

Member states must incorporate the provisions of the NIS 2 Directive into national law in 21 months from the entry into force of the directive.


November 10, 2022 - the European Parliament adopts the NIS 2 Directive.

The NIS 2 Directive replaces and repeals the NIS Directive (Directive 2016/1148/EC).

Next step: The Council of the European Union must formally adopt the text of the NIS 2 Directive.


May 13, 2022 - Strengthening EU-wide cybersecurity and resilience – provisional agreement by the Council and the European Parliament

The Council and the European Parliament agreed on measures for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.

Once adopted, the new directive, called ‘NIS2’, will replace the current directive on security of network and information systems (the NIS directive).


Stronger risk and incident management and cooperation

NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure.

The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.

The directive will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.


Widening of the scope of the rules

While under the old NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 directive introduces a size-cap rule. This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.

While the agreement between the European Parliament and the Council maintains this general rule, the provisionally agreed text includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for determining the entities covered.

The text also clarifies that the directive will not apply to entities carrying out activities in areas such as defence or national security, public security, law enforcement and the judiciary. Parliaments and central banks are also excluded from the scope.

As public administrations are also often targets of cyberattacks, NIS2 will apply to public administration entities at central and regional level. In addition, member states may decide that it applies to such entities at local level too.


Other changes introduced by the co-legislators

The European Parliament and the Council have aligned the text with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts.

A voluntary peer-learning mechanism will increase mutual trust and learning from good practices and experiences, thereby contributing to achieving a high common level of cybersecurity.

The two co-legislators have also streamlined the reporting obligations in order to avoid causing over-reporting and creating an excessive burden on the entities covered.

Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.


Next steps

The provisional agreement concluded today is now subject to approval by the Council and the European Parliament.

On the Council’s side, the French presidency intends to submit the agreement to the Council’s Permanent Representatives Committee for approval soon.


A revised Directive on Security of Network and Information Systems (NIS 2 Directive).

16.12.2020 - The European Commission adopted a proposal for a revised Directive on Security of Network and Information Systems (NIS 2 Directive).

In spite of its notable achievements, the Directive on the security of network and information systems (NIS Directive), has by now also proven its limitations. The digital transformation of society (intensified by the COVID-19 crisis) has expanded the threat landscape and is bringing about new challenges, which require adapted and innovative responses.

Now any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the whole internal market.

To address these challenges, as announced in the Communication on Shaping Europe’s Digital Future, the Commission accelerated the Directive’s review to the end of 2020, carried out an impact assessment and presented a new legislative proposal.

This proposal is part of a package of measures to improve further the resilience and incident response capacities of public and private entities, competent authorities and the Union as a whole in the field of cybersecurity and critical infrastructure protection. It is in line with the Commission’s priorities to make Europe fit for the digital age and to build a future-ready economy that works for the people.

Cybersecurity is a priority in the Commission’s response to the COVID-19 crisis. The package includes a new Strategy on Cybersecurity with the aim of strengthening the Union’s strategic autonomy to improve its resilience and collective response and to build an open and global internet. Finally, the package contains a proposal for a directive on the resilience of critical operators of essential services, which aims to mitigate physical threats against such operators.

This proposal builds on and repeals Directive (EU) 2016/1148 on security of network and information systems (NIS Directive), which is the first piece of EU-wide legislation on cybersecurity and provides legal measures to boost the overall level of cybersecurity in the Union. The NIS Directive has:

(1) contributed to improving cybersecurity capabilities at national level by requiring Member States to adopt national cybersecurity strategies and to appoint cybersecurity authorities;

(2) increased cooperation between Member States at Union level by setting up various fora facilitating the exchange of strategic and operational information; and

(3) improved the cyber resilience of public and private entities in seven specific sectors (energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and distribution, and digital infrastructures) and across three digital services (online marketplaces, online search engines and cloud computing services) by requiring Member States to ensure that operators of essential services and digital service providers put in place cybersecurity requirements and report incidents.

The proposal modernises the existing legal framework taking account of the increased digitisation of the internal market in recent years and an evolving cybersecurity threat landscape. Both developments have been further amplified since the onset of the COVID-19 crisis. The proposal also addresses several weaknesses that prevented the NIS Directive from unlocking its full potential.

Notwithstanding its notable achievements, the NIS Directive, which paved the way for a significant change in mind-set, in relation to the institutional and regulatory approach to cybersecurity in many Member States, has also proven its limitations. The digital transformation of society (intensified by the COVID-19 crisis) has expanded the threat landscape and is bringing about new challenges which require adapted and innovative responses. The number of cyber -attacks continues to rise, with increasingly sophisticated attacks coming from a wide range of sources inside and outside the EU.

The evaluation on the functioning of the NIS Directive, conducted for the purposes of the Impact Assessment, identified the following issues:

(1) the low level of cyber resilience of businesses operating in the EU;

(2) the inconsistent resilience across Member States and sectors; and

(3) the low level of joint situational awareness and lack of joint crisis response. For example, certain major hospitals in a Member State do not fall within the scope of the NIS Directive and hence are not required to implement the resulting security measures, while in another Member State almost every single healthcare provider in the country is covered by the NIS security requirements.

Being an initiative within the Regulatory Fitness Programme (REFIT), the proposal aims at reducing the regulatory burden for competent authorities and compliance costs for public and private entities. Most notably, this is achieved by abolishing the obligation of competent authorities to identify operators of essential services and by increasing the level of harmonisation of security and reporting requirements to facilitate regulatory compliance for entities providing cross-border services. At the same time, competent authorities will also be given a number of new tasks, including the supervision of entities in sectors so far not covered by the NIS Directive.

16.12.2020 - The Proposal for a directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148

16.12.2020 - Annexes to the Proposal for a directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148

The NIS 2 Directive, European Parliament, A high common level of cybersecurity in the EU


European Council - Strengthening EU-wide cybersecurity and resilience.

NIS 2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure.

The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.

The directive will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.

While under the old NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 directive introduces a size-cap rule. This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.

While the Council’s position maintains this general rule, it includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for determining the entities covered.

The Council text also clarifies that the directive will not apply to entities carrying out activities in areas such as defence or national security, public security, law enforcement and the judiciary. Parliaments and central banks are also excluded from the scope.

As public administrations are also often targets of cyberattacks, NIS2 will apply to public administration entities of central governments. In addition, member states may decide that it applies to such entities at regional and local level too.


The first NIS directive, main elements.

The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU, in order to contribute to the overall functioning of the internal market. It is based on 3 main pillars:

1. In order to achieve a high level of preparedness of Member States, the NIS Directive requires Member States to adopt a national strategy on the security of network and information systems. Member States are also required to designate national Computer Security Incident Response Teams (CSIRTs), who are responsible for risk and incident handling, a competent national NIS authority, and a single point of contact (SPOC). The SPOC has to exercise a liaison function to ensure cross-border cooperation between the Member State authorities with the relevant authorities in other Member States and with the NIS Cooperation Group.

2. The NIS Directive establishes the NIS Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States, and the CSIRTs Network, which promotes swift and effective operational cooperation between national CSIRTs.

3. The NIS Directive ensures that cybersecurity measures are taken across seven sectors, which are vital for our economy and society and which rely heavily on ICT, such as energy, transport, banking, financial market infrastructures, drinking water, healthcare and digital infrastructure.

Public and private entities identified by the Member States as operators of essential services (OES) in these sectors are required to undertake a cybersecurity risk assessment and put in place appropriate and proportionate security measures. They are required to notify serious incidents to the relevant authorities. And, providers of key digital services (digital service providers or DSPs), such as search engines, cloud computing services and online marketplaces, have to comply with the security and notification requirements under the Directive. At the same time, the latter are subject to a so-called ‘light-touch’ regulatory regime, which entails, among other measures, that they are under the jurisdiction of one Member State for the whole EU and are not subjected to ex-ante supervisory measures.


The new NIS 2 directive, main elements.

The new Commission proposal aims to address the deficiencies of the previous NIS Directive, to adapt it to the current needs and make it future-proof.

To this end, the Commission proposal expands the scope of the current NIS Directive by adding new sectors based on their how crucial they are for the economy and society, and by introducing a clear size cap — meaning that all medium and large companies in selected sectors will be included in the scope. At the same time, it leaves some flexibility for Member States to identify smaller entities with a high security risk profile.

The proposal also eliminates the distinction between operators of essential services and digital service providers. Entities would be classified based on their importance, and divided into essential and important categories, which will be subjected to different supervisory regimes.

The proposal strengthens and streamlines security and reporting requirements for companies by imposing a risk management approach, which provides a minimum list of basic security elements that have to be applied. The proposal introduces more precise provisions on the process for incident reporting, content of the reports and timelines.

Furthermore, the Commission proposes to address security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in supply chains and supplier relationships. At European level, the proposal strengthens supply chain cybersecurity for key information and communication technologies. Member States in cooperation with the Commission and ENISA, may carry out coordinated risk assessments of critical supply chains, building on the successful approach taken in the context of the Commission Recommendation on Cybersecurity of 5G networks.

The proposal introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States.

The proposal also enhances the role of the Cooperation Group in shaping strategic policy decisions and increases information sharing and cooperation between Member State authorities. It also enhances operational cooperation including on cyber crisis management.

The Commission proposal also establishes a basic framework with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and creates EU registry in this area, operated by the EU agency for cybersecurity (ENISA).


Cyber Risk GmbH, some of our clients