[To Eurosmart members only]

NIS 2 Directive: What is the final word on certification?

The European Parliament and the Council are currently concluding the negotiations on the revision of the NIS Directive. The NIS Directive sets cybersecurity requirements for essential and important entities (previously called operators of essential services and digital services). NIS 2 considers the possibility for Member States and the European Commission to require those entities to use certified products, services and processes (Article 21).

A leaked version of the text in negotiation shows the final shape that Article 21 could take. It appears that the negotiators chose a simplified version of the Commission’s phrasing: “Member States may require entities to use particular ICT products, services and processes, either developed by the essential or important entity or procured from third parties, that are certified under European cybersecurity certification schemes adopted pursuant to [the Cybersecurity Act].”

In this respect, the negotiators did not settle in favour of the European Parliament’s version. The European Parliament’s version stated that Member States should merely encourage entities to certify certain ICT products, services, and processes using European or internationally recognised schemes. The agreed version is closer to the Commission’s proposal and the Council’s views.

However, the agreed version does incorporate one proposal from the European Parliament: Member States shall encourage essential and important entities to use qualified trust services pursuant to eIDAS.

In the agreed text, the European Commission is still empowered to adopt delegated acts specifying which categories of essential or important entities shall be required to use certain certified products, services and processes or obtain a certificate under a European certification scheme (CSA).

However, a few limits to such power were added. First, the Commission can only adopt those delegated acts if insufficient levels of cybersecurity have been identified. Secondly, it shall envisage an implementation period. Thirdly, before adopting the delegated acts, the Commission must carry out an impact assessment and a stakeholder consultation.

Please follow the link below for the (leaked) four-column document from the NIS negotiations.

Next steps

The European Parliament and the Council will conclude the negotiations. They will then formally approve the text.

Member States will need to transpose the provisions of the Directive in their national laws.

If you have any questions on this topic, please contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com