03 December 2021


On 3 December, the Council agreed its position (General Approach) on the proposed revision of the Directive on measures for a high common level of cybersecurity across the EU (NIS2), aimed at further improving the resilience and incident response capacities of both the public and private sector and the EU as a whole. Once adopted, the new Directive (NIS2) will replace the current Directive on security of network and information systems (NIS directive).

The Council adopted its General Approach with a very broad scope for identifying essential entities under the NIS2 Directive, in form of a size cap covering all entities except for micro- and small ones. CLECAT considers the position to be highly problematic, as it goes beyond the intention of the Directive, whilst imposing undue burdens on entities which are not essential for the EU economy in their own right. This represents an urgent issue, which will have to be rectified during the trilogues to avoid the imposition of such undue burdens.

Ahead of the Council meeting, CLECAT addressed its serious concerns regarding the scope of the proposed NIS2 Directive to the Telecommunications Ministers, strongly urging them to re-consider the criteria defining the scope of an essential entity.

CLECAT strongly urged Member States to replace the size-cap with a qualitative criterion assessing the actual level of criticality of the entity for the Member State’s economy. Such criteria would have to be sector-specific and based on thorough research and consultation amongst the co-legislators and industry stakeholders on what exactly represents a level of criticality in the respective sector.

The CLECAT Press Release, containing the Position Paper which was shared with the EU Telecommunication Ministers is available on the CLECAT webpage.