|
[To Eurosmart members only]
NIS Directive: Outcome of the second round of negotiations
The second version of the NIS Directive (NIS 2) is currently subject to negotiations between the European Parliament and EU Member States (Council). The second round of negotiations took place on 17 February.
On 3 March, MEP Bart Groothuis (Renew, The Netherlands), rapporteur for the file, gave a briefing on the state play of the negotiations. He mentioned the following points:
The main topic of divergences between the European Parliament and the Council remains the scope. The European Parliament wants Member States to lead by example. Member States ask a lot to companies (cybersecurity requirements), therefore the same should apply to governmental bodies. Member States, on the other, side are not keen on having many public bodies in the scope of the NIS Directive.
The European Parliament also asks for legal certainty for companies. It should be clear whether they fall within the scope or not, and which measures they need to take. The Council remains unclear on this point.
During the second round of negotiations, the European Parliament and the Council also discussed ways to incentivise CEOs to invest in cybersecurity measures. This includes discussing liability.
Cybersecurity certification: pending issues
An earlier version of the negotiating table was leaked. You can find the link to the 4-column table below. Please note that this 4-column table does not take the results of the second round into account.
On the topic of cybersecurity certification, the table (page 202) shows that the European Parliament and the Council could already agree on the obligation for Member States to have a policy on cybersecurity requirements in public procurement. The following phrasing was agreed: “Member States shall, in particular, adopt the following policies: […] a policy regarding the inclusion and specification of cybersecurity-related requirements for ICT products and services in public procurement, including cybersecurity certification as well as encryption requirements and the use of open-source cybersecurity products;”.
By contrast, the table (page 293) does not show any progress on the topic of mandatory cybersecurity certification for certain products used by essential and important entities. For now, it seems that this topic has not been addressed during the negotiations.
The European Parliament’s version still states that Member States “shall encourage” essential and important entities to certify certain ICT products, services and processes. The Council wants to keep the option for Member States to “require” entities to use particular ICT products, services and processes certified under specific European cybersecurity certification schemes.
In both versions, the European Commission would still be empowered to adopt delegated or implementing acts to specify which categories of essential and important entities are required to obtain a European certificate. Nevertheless, the European Parliament and the Council seem to have similar views on the fact that such mandatory certification must come with safeguards. For example, a careful impact assessment should be carried out beforehand.
The two institutions also kept the possibility for the Commission to request ENISA to prepare a candidate scheme in cases where no appropriate scheme is available. However, the European Parliament added that the Commission must previously consult the NIS Cooperation Group and the European Cybersecurity Certification Group (ECCG). Member States added that the Commission may also request ENISA to review an existing scheme.
|
