Negotiators from the trilogue parties reached a provisional political agreement on the NIS Directive 2.0 on 13 May 2022.
MEP Bart Groothuis provided an update on the result of the fourth round of inter-institutional negotiations in an interview with Luca Bertuzzi of Euractiv. As regards the scope of the new Directive, agreement was reached as to include public entities. Groothuis stressed that is its particularly important in light of a ransomware pandemic and the war on Ukraine, and new threats emerging, to include these entities. Leeway is granted to Member states to decide which part of regional government should be encompassed.
The NIS Directive 2.0 Proposal eliminates the distinction between operators of essential services and digital service providers and introduces a distinction between important and essential entities. Similar to the DSPs under the NIS Directive, important entities will be subject to ex post supervision, while essential entities fall under an ex ante supervisory regime. Furthermore, the maximum amount of a penalty depends on the classification of important (max. 1.4 % of annual turnover or EUR 7M) or essential (max. 2% of annual turnover or EUR 10M).
With a compromise on incident reporting timeframes another controversial issue has been solved. The compromise foresees a report in the form of an early warning within 24 hours where an entity informs that it is attacked. This early warning should allow the establishment of a helpline and allow entities to seek support by a CSIRT. Within 72 hours an initial report has to be handed over. No information has yet been published on the reportable incident, i.e. whether this should also include cyber threats and incidents that only have the potential to cause harm or considerable loss.
In the interview, MEP Groothuis emphasises the necessity to have a single point of entry and simplified reporting procedures, the content of the agreement in that regard remains unclear.
The informal agreement will now have to be formally endorsed by Parliament and Council to come into force. Once published in the Official Journal, the Directive will enter into force 20 days after publication and Member States will then need to transpose the new elements of the Directive into national law within 21 months.