The work on the NIS Directive Commentary continues and we have published the commentary to Art. 11 NIS Directive, which also addresses the new tasks imposed upon the NIS Cooperation Group under Art. 14 NIS 2 Directive.
One of the priorities of the NIS Directive was to improve the cooperation between Member States in the field of NIS security.
Before the NIS Directive entered into force, a low level of protection in many Member States constituted an obstacle for cooperation and information sharing: information sharing is a matter of trust and insufficient protection hinders the creation of trust among peers (see Proposal for a NIS Directive, Explanatory memorandum, para. 1.1). The Explanatory Memorandum to the Proposal for a NIS Directive thus stated that cooperation was limited to those Member States with a high level of capabilities (ibid). Accordingly, cooperation and information sharing appeared underdeveloped and were limited to informal information exchange or cooperation schemes between Member States. In 2013, when the Proposal for a NIS Directive was published, an effective mechanism at EU level for effective cooperation and collaboration and for trusted information sharing on NIS incidents and risks among Member States was lacking (ibid). As a consequence, there was a risk of uncoordinated regulatory interventions, incoherent strategies and divergent standards, which in turn led to insufficient protection of NIS security (ibid). The European Commission recognized the need for a network of NCAs in order to enable secure and effective coordination ‘including coordinated information exchange as well as detection and response at EU level’ (ibid). The idea of an integrated EU approach tackling the security and resilience of NIS at EU level had previously inter alia been addressed in the Commission Communication on Critical Information Infrastructure Protection and the Council Resolution on a collaborative European Approach to Network and Information Security in 2009; Both interventions must be seen as direct responses to the large-scale cyber-attacks targeting Estonia in 2007 and the unprecedented level of sophistication of cyber-attacks in general, while dependence on critical infrastructure was on the rise. The Digital Agenda for Europe and the Council Conclusions on the Agenda of May 2010 also stressed the need for cooperation mechanisms and a system of contact points to respond to cyber threats.
In order to eliminate differences in national approaches and to tackle the lack of systematic cross-border cooperation, the NIS Directive introduces several multi-stakeholder and multi-level approaches for cooperation: (1) Art. 11 NIS Directive establishes the NIS Cooperation Group (NIS CG) which is composed of representatives of the Member States, the Commission and ENISA; Art. 12 NIS Directive establishes a network of national computer security incident response teams (CSIRTs network); Art. 13 NIS Directive provides a legal basis for the EU to conclude international agreements with third countries or international organisations allowing and organizing their participation in some activities of the NISCG. Besides these cooperation mechanisms among Member States, Art. 10 NIS Directive also requires effective cooperation between the relevant actors at national level.