|
[To Eurosmart members only]
NIS Directive: Conclusion of the negotiations
On 13 May, the European Parliament and the Council reached a political agreement on the revision of the NIS Directive.
This legislation sets cybersecurity requirements and reporting obligations for entities operating in specific sectors. As envisaged in the Commission’s proposal, NIS 2 will cover a broader range of sectors than the current version of the Directive. For instance, it will encompass trust service providers, providers of public electronic communications services, manufacturing of critical products and public administration (central and regional level). However, activities in the area of defence, national security, public security, law enforcement and the judiciary do not fall within the scope of NIS 2.
The categories of Operators of Essential Services and Digital Providers no longer exist in NIS 2. They are replaced by “essential entities” and “important entities”, the first ones being subject to more stringent rules.
Another novelty is the supply chain aspect. The new NIS Directive addresses the security of supply chains and supplier relationships.
NIS 2 establishes the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.
For the details on certification, please refer to this previous email.
Next steps
The European Parliament and the Council will formally endorse the political agreement. Once published in the Official Journal of the EU, Member States will have a bit over 21 months to transpose the Directive into national law.
|
