25 May 2022

PROVISIONAL AGREEMENT ON NIS2

On 13 May, the Council and the European Parliament reached a provisional agreement on the revision of measures for a high common level of cybersecurity across the Union (NIS2), to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole. Once adopted, the NIS2 Directive will replace the current directive on security of network and information systems (the NIS Directive).

NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the Directive, such as transport, energy, health and digital infrastructure. It aims to remove divergences in cybersecurity requirements and measures in different Member States. This has led to a patchwork of national rules, which has been of great concern to CLECAT. To avoid the divergences of rules, the NIS2 sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation amongst relevant authorities in each Member State. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement. 

While under the old NIS Directive Member States were responsible for determining which entities would meet the criteria to qualify as operators of essential services (OES), the new NIS2 Directive introduces a size-cap rule. This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope. CLECAT considered the scope to be highly problematic, as it goes beyond the intention of the Directive, whilst imposing undue burdens on entities which are not essential for the EU economy in their own right. CLECAT strongly urged Member States to replace the size-cap with a qualitative criterion assessing the actual level of criticality of the entity for the Member State’s economy. Such criteria would have to be sector-specific and based on thorough research and consultation amongst the co-legislators and industry stakeholders on what exactly represents a level of criticality in the respective sector. 

Whilst the agreement between the European Parliament and the Council maintains this general rule of a size-cap, the provisionally agreed text includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for determining the entities covered. 

The provisional agreement is now subject to approval by the Council and the European Parliament. On the Council’s side, the French presidency intends to submit the agreement to the Council’s Permanent Representatives Committee for approval soon.