On 16 December, the European Commission adopted a Proposal for a Directive on Measures for High Common Level of Cybersecurity across the Union (COM(2020) 823 final).
Undoubtedly the NIS Directive contributed to a significant change in the regulatory approach to cybersecurity in many Member States. However, increased digitisation of the internal market and digital transformation of society as such means that the threat landscape evolves and brings new challenges. As this developments amplified during the COVID-19 crisis, the Commission accelerated the NIS Directive’s review to the end of 2020. The review of the NIS Directive identified limitations as well as deficiencies that prevented the NIS Directive from unlocking its full potential. An impact assessment further identified inter alia a low level of cyber resilience of businesses operating in the EU as well as inconsistent resilience across Member States and sectors.
The proposal for a NIS 2.0 is part of a package of measures to further improve the resilience and incident response capacities of public and private entities, competent authorities and the Union as a whole in the field of cybersecurity and critical infrastructure protection. The package also includes a new Strategy on Cybersecurity and a proposal for a directive on the resilience of critical operators of essential services,which aims to mitigate physical threats against such operators.
Key changes of the Commission proposal are:
- regarding subject-matter and scope of the Directive:
- new sectors are added: waste water, public administration and space
- existing sectors are amended: e.g. digital infrastructure should also encompass inter alia content delivery network providers, trust service providers and providers of public electronic communications networks
- clear size cap: SMEs are in general excluded with sector-specific exceptions
- regarding structure of the Directive:
- elimination of the distinction between OES and DSP; entities are classified on their importance
- regarding national cybersecurity frameworks:
- establishment of a framework for Coordinated Vulnerability Disclosure
- implementation of National Cybersecurity Crisis Management Frameworks
- regarding cybersecurity risk management approach:
- minimum list of basic security elements
- more precise provisions on incident reporting process
- security of supply chains and supplier relationship is addressed
- regarding cooperation:
- development of a European vulnerability registry
- establishment of a European Cyber Crises Liaison Organisation Network (EU-CyCLONe)
- improvement of information-sharing
- regarding supervision:
- ex ante supervisory regime for essential entities; ex post supervisory regime for important entities
The proposal is now subject to negotiations between the co-legislators (Council of the EU and the European Parliament).