BETA


Events

2023/01/17
   EC - Commission response to text adopted in plenary
Documents
2022/12/27
   Final act published in Official Journal
Details

PURPOSE: to strengthen cybersecurity and resilience across the EU.

LEGISLATIVE ACT: Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).

CONTENT: the Directive establishes measures that aim to achieve a common high level of cybersecurity across the Union with a view to further improving the resilience and incident response capabilities of both the public and private sectors and the EU as a whole. The new Directive, called ‘NIS 2’, will replace the current Network and Information Security Directive (NIS Directive).

Objective

The revised Directive aims to harmonise cybersecurity requirements and implementation of cybersecurity measures in different Member States. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each Member State.

The NIS2 Directive will form the basis for cybersecurity risk management measures and reporting obligations in all key sectors covered by the Directive, namely energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, public administrations and the space sector, as well as in important sectors such as postal services, waste management, chemicals, food, medical device manufacturing, electronics, machinery, vehicle engines and digital suppliers.

Scope

The new NIS2 Directive introduces a size-cap rule as a general rule for identification of regulated entities. This means that all medium and large entities operating in the sectors covered by the Directive or providing services within its scope will fall within its scope.

The Directive will apply to public administration entities at central and regional level. In addition, Member States may decide to apply it also to such entities at local level and to educational institutions, in particular where they carry out critical research activities.

The Directive will not apply to public administration entities carrying out activities in the fields of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences. Parliaments and central banks are also excluded from the scope.

The Directive lays down minimum rules for a regulatory framework and does not prevent Member States from adopting or maintaining provisions ensuring a higher level of cybersecurity.

While the revised directive maintains this general rule, its text includes additional provisions to ensure proportionality , a higher level of risk management and clear-cut criticality criteria for allowing national authorities to determine further entities covered.

Coordinated cyber security frameworks

The Directive sets out obligations for Member States to adopt national cybersecurity strategies , designate or establish competent authorities, cyber crisis management authorities, single cyber security contact points and computer security incident response centres (CSIRTs).

Cooperation at EU level

The Directive sets out mechanisms for effective cooperation between the competent authorities of each Member State. It establishes a Cooperation Group to support and facilitate strategic cooperation and information exchange between Member States and to build confidence. A network of national CSIRTs is established to contribute to confidence building and to promote swift and effective operational cooperation between Member States.

The Directive also formally establishes the European cyber crisis liaison organisation network (EU-CyCLONe), which will support the coordinated management of large-scale cyber security incidents.

Voluntary peer learning mechanism

A voluntary peer learning mechanism will enhance mutual trust and learning from good practices and experiences in the Union, thereby contributing to a common high level of cyber security.

The Cooperation Group will establish, by 17 January 2025, with the assistance of the Commission and ENISA and, where appropriate, the CSIRT network, the methodology and organisational aspects of peer reviews with a view to learning from shared experiences, building mutual trust, achieving a common high level of cybersecurity, as well as strengthening Member States' cybersecurity capacities and policies necessary for the implementation of the Directive.

Simplification of reporting obligations

The Directive streamlines the reporting obligations to avoid over-reporting and creating an excessive burden for the entities concerned.

In order to simplify the reporting of information required under the Directive and to reduce the administrative burden on entities, Member States will provide technical means, such as a single entry point, automated systems, online forms, user-friendly interfaces, templates and dedicated platforms for the use of entities, irrespective of whether they fall within the scope of the Directive, for the submission of the relevant information to be reported.

Lastly, the Directive provides for remedies and penalties to ensure compliance with the legislation.

ENTRY INTO FORCE: 16.1.2023

TRANSPOSITION: no later than 17.10.2024. The provisions will apply from 18.10.2024.

2022/12/14
   CSL - Draft final act
Documents
2022/12/14
   CSL - Final act signed
2022/11/28
   EP/CSL - Act adopted by Council after Parliament's 1st reading
2022/11/10
   EP - Results of vote in Parliament
2022/11/10
   EP - Debate in Parliament
2022/11/10
   EP - Decision by Parliament, 1st reading
Details

The European Parliament adopted by 577 votes to 6 with 31 abstentions a legislative resolution on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148.

The European Parliament's first reading position under the ordinary legislative procedure amends the proposal as follows:

Strengthening EU-wide cybersecurity and resilience

This Directive lays down measures that aim to achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market and to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.

To that end, this Directive lays down:

- obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity (single points of contact) and computer security incident response teams (CSIRTs);

- cybersecurity risk management measures and reporting obligations for entities in ‘critical’ sectors such as energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, public administrations and the space sector, as well as in ‘important’ sectors such as postal services, waste management, chemicals, food, medical device manufacturing, electronics, machinery, vehicle engines and digital suppliers;

- rules and obligations on cybersecurity information sharing;

- supervisory and enforcement obligations on Member States.

The Directive lays down minimum rules for a regulatory framework and does not prevent Member States from adopting or maintaining provisions ensuring a higher level of cyber security.

Scope of application

All medium and large entities operating in the sectors covered by the Directive or providing services falling within its scope will fall within its scope.

As public administrations are often the target of cyber-attacks, the Directive will apply to public administration entities at central and regional level. In addition, Member States may decide to apply it also to such entities at local level as well as to educational institutions, in particular where they carry out critical research activities.

The Directive will not apply to public administration entities carrying out activities in the field of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences. Parliaments and central banks are also excluded from the scope.

The Directive includes additional provisions to ensure proportionality , a higher level of risk management and clear criteria on the criticality of entities to determine which ones are covered.

Cooperation at EU level

The Directive sets out mechanisms for effective cooperation between the competent authorities of each Member State. It establishes a Cooperation Group to support and facilitate strategic cooperation and information exchange between Member States and to build confidence. A network of national CSIRTs is established to contribute to confidence building and to promote swift and effective operational cooperation between Member States.

The Directive also formally establishes the European cyber crisis liaison organisation network ( EU-CyCLONe ), which will support the coordinated management of large-scale cyber security incidents.

Voluntary peer learning mechanism

Peer reviews should be introduced to help learn from shared experiences, build mutual trust and achieve a common high level of cyber security. The Cooperation Group should establish, no later than 2 years after the date of entry into force of the Directive, with the assistance of the Commission and ENISA and, where appropriate, the CSIRT network, the methodology and organisational aspects of peer reviews. Participation in peer reviews should be voluntary.

Simplification of reporting obligations

The Directive streamlines the reporting obligations to avoid over-reporting and creating an excessive burden for the entities concerned.

In order to simplify the reporting of information required under the Directive and to reduce the administrative burden on entities, Member States should provide technical means, such as a single entry point, automated systems, online forms, user-friendly interfaces, templates and dedicated platforms for the use of entities, irrespective of whether they fall within the scope of the Directive, for the submission of the relevant information to be reported.

Lastly, the Directive provides for remedies and penalties to ensure compliance with the legislation.

Documents
2022/07/13
   EP - Approval in committee of the text agreed at 1st reading interinstitutional negotiations
2022/04/11
   ECB - European Central Bank: opinion, guideline, report
2021/11/22
   EP - Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)
2021/11/10
   EP - Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)
2021/11/04
   EP - Committee report tabled for plenary, 1st reading
Details

The Committee on Industry, Research and Energy adopted the report by Bart GROOTHUIS (Renew Europe, NL) on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148.

The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:

Subject matter and scope

This Directive should apply to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II who provide their services or carry out their activities within the Union. It should not apply to entities that qualify as micro and small enterprises. No later than 6 months after the transposition deadline, Member States should draw up a list of essential and important entities. This list should be updated regularly and at least every two years.

Essential and significant entities should submit at least the following information to the competent authorities : (i) name of the entity, (ii) address and updated contact details, including e-mail addresses, (iii) IP ranges, (iv) telephone numbers and (v) the relevant sector(s) and sub-sector(s) listed in Annexes I and II. Entities should inform the competent authorities of any changes to this information.

To this end, the European Union Agency for Cyber Security (ENISA), in cooperation with the Cooperation Group, should issue guidelines and templates on notification obligations as soon as possible. Processing of personal data under the Directive would be carried out in accordance with the General Data Protection Regulation (GDPR).

National cyber security strategy

The strategy should also include a framework for the allocation of roles and responsibilities of public bodies and entities and other relevant actors, a single point of contact on cyber security for SMEs, and an assessment of the general level of cyber security awareness among citizens.

Member States should also adopt:

- a cybersecurity policy for each sector covered by the Directive;

- requirements for encryption and the use of open source cyber security products;

- a policy related to maintaining the overall availability and integrity of the public core of the open Internet , including the cybersecurity of undersea communications cables;

- a policy to promote the development and integration of emerging technologies, such as artificial intelligence, into cybersecurity enhancing tools and applications;

- a policy to promote cyber hygiene , increasing general awareness of cyber security threats and best practices among citizens;

- a policy to promote active cyber defence ;

- a policy to help authorities develop competences and understanding of the security aspects needed to design, build and manage connected places;

- a policy specifically addressing the ransomware threat and disrupting the ransomware business model;

- a policy, including relevant procedures and governance frameworks , to support and promote the development of public-private partnerships in cyber security.

ENISA should provide guidance to Member States to align national cyber security strategies with the requirements and obligations set out in the Directive.

Coordinated vulnerability disclosure and European vulnerability database

ENISA should develop and maintain a European vulnerability database leveraging the global Common Vulnerabilities and Exposures (CVE) registry. To this end, ENISA should adopt the necessary technical and organisational measures to ensure the security and integrity of the database.

Computer Security Incident Response Teams (CSIRTs)

Member States should ensure the possibility of effective, efficient and secure information exchange on all classification levels between their own CSIRTs and CSIRTs from third countries on the same classification level. CSIRTs should develop at least the following technical capabilities

- the ability to conduct real-time or near-real-time monitoring of networks and information systems, and anomaly detection;

- the ability to support intrusion prevention and detection;

- the ability to collect and conduct complex forensic data analysis, and to reverse engineer cyber threats;

- the ability to filter malign traffic;

- the ability to enforce strong authentication and access privileges and controls; and

- the ability to analyse cyber threats.

CSIRTs should be responsible for monitoring cyber threats, vulnerabilities and incidents at national level and acquiring real-time threat intelligence , responding to incidents and assisting entities involved, as well as contributing to the deployment of secure information sharing tools.

ENISA should publish, in cooperation with the Commission, a biennial report on the state of cyber security in the EU and submit it to the European Parliament.

Reporting obligations

Member States should establish a single point of contact for all notifications required under the Directive and other relevant EU legislation.

Essential and important entities should notify CSIRTs about significant incidents that have an impact on the availability of their service within 24 hours of becoming aware of the incident. They should notify CIRTs about significant incidents that breach the confidentiality and integrity of their services within 72 hours of becoming aware of the incident.

Fines

To ensure effective enforcement of the obligations laid down in this Directive, each competent authority should have the power to impose or request the imposition of administrative fines if the infringement was intentional, negligent or the entity concerned had received notice of the entity’s non-compliance.

Documents
2021/10/28
   EP - Vote in committee, 1st reading
2021/10/28
   EP - Committee decision to open interinstitutional negotiations with report adopted in committee
2021/10/15
   EP - Committee opinion
Documents
2021/07/15
   EP - Committee opinion
Documents
2021/07/14
   EP - Committee opinion
Documents
2021/07/14
   EP - Committee opinion
Documents
2021/06/03
   EP - Amendments tabled in committee
Documents
2021/06/03
   EP - Amendments tabled in committee
Documents
2021/05/20
   EP - Referral to associated committees announced in Parliament
2021/05/03
   EP - Committee draft report
Documents
2021/04/12
   EP - MANDL Lukas (EPP) appointed as rapporteur in LIBE
2021/03/23
   CZ_SENATE - Contribution
Documents
2021/03/21
   ES_PARLIAMENT - Contribution
Documents
2021/03/21
   ES_PARLIAMENT - Contribution
Documents
2021/03/17
   ES_PARLIAMENT - Contribution
Documents
2021/03/17
   PT_PARLIAMENT - Contribution
Documents
2021/03/11
   EDPS - Document attached to the procedure
2021/02/24
   CZ_CHAMBER - Contribution
Documents
2021/02/22
   EP - GREGOROVÁ Markéta (Verts/ALE) appointed as rapporteur in AFET
2021/02/09
   EP - LØKKEGAARD Morten (Renew) appointed as rapporteur in IMCO
2021/02/03
   EP - DALUNDE Jakop G. (Verts/ALE) appointed as rapporteur in TRAN
2021/01/21
   EP - Committee referral announced in Parliament, 1st reading
2021/01/14
   EP - GROOTHUIS Bart (Renew) appointed as rapporteur in ITRE
2020/12/16
   EC - Document attached to the procedure
Documents
2020/12/16
   EC - Document attached to the procedure
2020/12/16
   EC - Document attached to the procedure
Documents
2020/12/16
   EC - Legislative proposal published
Details

PURPOSE: to introduce new measures for a common level of cybersecurity across the EU.

PROPOSED ACT: Directive of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: Directive (EU) 2016/1148 of the European Parliament and the Council aimed at building cybersecurity capabilities across the EU, mitigating threats to network and information systems used to provide essential services in key sectors and ensuring the continuity of such services when facing cybersecurity incidents, thus contributing to the EU's economy and society to function effectively.

However, since the entry into force of Directive (EU) 2016/1148 significant progress has been made in increasing the Union’s level of cybersecurity resilience.

CONTENT: this proposal builds on and repeals Directive (EU) 2016/1148 on security of network and information systems (NIS Directive), which is the first piece of EU-wide legislation on cybersecurity and provides legal measures to boost the overall level of cybersecurity in the EU. The proposal modernises the existing legal framework taking account of the increased digitisation of the internal market in recent years and an evolving cybersecurity threat landscape.

Specific provisions

Scope

The proposal should apply to certain public or private essential entities operating in the sectors listed in Annex I (energy; transport; banking; financial market infrastructures; health, drinking water; waste water; digital infrastructure; public administration and space) and certain important entities operating in the sectors listed in Annex II (postal and courier services; waste management; manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing and digital providers).

Micro and small entities are excluded from the scope of the Directive, except for providers of electronic communications networks or of publicly available electronic communications services, trust service providers, Top-level domain name (TLD) name registries and public administration, and certain other entities, such as the sole provider of a service in a Member State.

National cybersecurity frameworks

The proposal stipulates that Member States are required to adopt a national cybersecurity strategy defining the strategic objectives and appropriate policy and regulatory measures with a view to achieving and maintaining a high level of cybersecurity. The proposed directive also establishes a framework for Coordinated Vulnerability Disclosure and requires Member States to designate computer security incident response teams to act as trusted intermediaries and facilitate the interaction between the reporting entities and the manufacturers or providers of ICT products and ICT services.

Member States are required to put in place National Cybersecurity Crisis Management Frameworks, by designating national competent authorities responsible for the management of large-scale cybersecurity incidents and crises.

Cybersecurity risk management and reporting obligations

The proposal requires Member States to provide that management bodies of all entities under the scope to approve the cybersecurity risk management measures taken by the respective entities and to follow specific cybersecurity-related training. Member States are required to ensure that entities under the scope take appropriate and proportionate technical and organisational measures to manage the cybersecurity risks posed to the security of network and information systems.

TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain accurate and complete domain name registration data. Furthermore, such entities are required to provide efficient access to domain registration data for legitimate access seekers.

Jurisdiction and registration

As a rule, essential and important entities are deemed to be under the jurisdiction of the Member State where they provide their services. However, certain types of entities (DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers, as well as certain digital providers) are deemed to be under the jurisdiction of the Member State in which they have their main establishment in the Union.

Information sharing

Member States should provide rules enabling entities to engage in cybersecurity-related information sharing within the framework of specific cybersecurity information-sharing arrangements.

Supervision and enforcement

Competent authorities are required to supervise the entities under the scope of the proposed directive, and in particular to ensure their compliance with the security and incident notification requirements. The proposal also requires Members States to impose administrative fines to essential and important entities and defines certain maximum fines.

Documents

Activities

Votes

Un niveau élevé commun de cybersécurité dans l'ensemble de l'Union - A high common level of cybersecurity across the Union - Ein hohes gemeinsames Cybersicherheitsniveau in der Union - A9-0313/2021 - Bart Groothuis - Demande du groupe Verts/ALE #

2022/11/10 Outcome: -: 459, +: 123, 0: 28
DK MT CY EL FI LU BE LV IE LT EE HR SI AT CZ SE PT SK BG NL HU DE RO FR IT ES PL
Total
11
5
5
18
12
6
20
7
12
10
5
10
8
15
15
21
20
13
17
28
17
79
29
66
65
50
46
icon: Verts/ALE Verts/ALE
63

Denmark Verts/ALE

2

Finland Verts/ALE

2

Luxembourg Verts/ALE

For (1)

1

Belgium Verts/ALE

3

Ireland Verts/ALE

2

Lithuania Verts/ALE

2

Austria Verts/ALE

3

Czechia Verts/ALE

3

Sweden Verts/ALE

3

Portugal Verts/ALE

1

Netherlands Verts/ALE

3

Italy Verts/ALE

2

Spain Verts/ALE

3

Poland Verts/ALE

For (1)

1
icon: The Left The Left
31

Denmark The Left

Abstain (1)

1

Cyprus The Left

2

Finland The Left

For (1)

1

Belgium The Left

Abstain (1)

1

Ireland The Left

3

Sweden The Left

For (1)

1

Netherlands The Left

For (1)

1

Germany The Left

For (1)

Abstain (1)

2
icon: NI NI
37

Latvia NI

1

Lithuania NI

Abstain (1)

1

Slovakia NI

2

Netherlands NI

Against (1)

1

Germany NI

Against (1)

Abstain (1)

3

France NI

Against (1)

2
icon: ECR ECR
55

Greece ECR

1

Belgium ECR

2

Latvia ECR

Against (1)

1

Czechia ECR

For (1)

3

Sweden ECR

Abstain (1)

3

Slovakia ECR

Against (1)

1

Bulgaria ECR

2

Germany ECR

Against (1)

1

Romania ECR

1
icon: ID ID
54

Denmark ID

Against (1)

1

Finland ID

2

Austria ID

3

Czechia ID

Against (1)

1
icon: Renew Renew
91

Denmark Renew

Abstain (1)

3

Greece Renew

Against (1)

1

Finland Renew

For (1)

3

Luxembourg Renew

2

Belgium Renew

4

Latvia Renew

Against (1)

1

Ireland Renew

2

Lithuania Renew

Against (1)

1

Estonia Renew

3

Croatia Renew

Against (1)

1

Slovenia Renew

2

Austria Renew

Against (1)

1

Sweden Renew

3

Bulgaria Renew

3

Hungary Renew

Against (1)

1

Italy Renew

2

Poland Renew

1
icon: S&D S&D
123

Denmark S&D

Against (1)

3
4

Cyprus S&D

Against (1)

1

Greece S&D

2

Finland S&D

2

Luxembourg S&D

Against (1)

1

Belgium S&D

3

Latvia S&D

2

Lithuania S&D

2

Estonia S&D

Against (1)

1

Croatia S&D

3

Slovenia S&D

For (1)

Against (1)

2

Czechia S&D

Against (1)

1

Slovakia S&D

2

Netherlands S&D

For (1)

5
icon: PPE PPE
156

Denmark PPE

Against (1)

1

Malta PPE

Against (1)

1

Cyprus PPE

2

Finland PPE

2

Luxembourg PPE

2

Latvia PPE

2

Estonia PPE

Against (1)

1

Slovenia PPE

4

Austria PPE

3

Hungary PPE

Against (1)

1

A9-0313/2021 - Bart Groothuis - Accord provisoire - Am 281 #

2022/11/10 Outcome: +: 577, 0: 31, -: 6
DE FR IT ES PL RO NL BE SE BG HU PT AT EL CZ FI LT HR SK IE DK SI LV LU MT EE CY
Total
81
67
65
50
46
29
29
20
21
17
17
20
15
18
15
12
10
10
13
12
11
8
7
6
5
5
5
icon: PPE PPE
157

Hungary PPE

1

Austria PPE

3

Finland PPE

2

Denmark PPE

For (1)

1

Latvia PPE

2

Luxembourg PPE

2

Malta PPE

For (1)

1

Estonia PPE

For (1)

1

Cyprus PPE

2
icon: S&D S&D
126

Greece S&D

2

Czechia S&D

For (1)

1

Lithuania S&D

2

Slovakia S&D

2

Slovenia S&D

2

Latvia S&D

2

Luxembourg S&D

For (1)

1

Estonia S&D

For (1)

1

Cyprus S&D

1
icon: Renew Renew
92

Italy Renew

2

Poland Renew

1
3

Hungary Renew

For (1)

1

Austria Renew

For (1)

1

Greece Renew

1

Finland Renew

3

Lithuania Renew

1

Croatia Renew

For (1)

1

Ireland Renew

2

Slovenia Renew

2

Latvia Renew

For (1)

1

Luxembourg Renew

2

Estonia Renew

3
icon: Verts/ALE Verts/ALE
63

Italy Verts/ALE

2

Spain Verts/ALE

3

Poland Verts/ALE

For (1)

1

Netherlands Verts/ALE

3

Belgium Verts/ALE

3

Sweden Verts/ALE

3

Portugal Verts/ALE

1

Austria Verts/ALE

3

Czechia Verts/ALE

3

Finland Verts/ALE

2

Lithuania Verts/ALE

2

Ireland Verts/ALE

2

Denmark Verts/ALE

2

Luxembourg Verts/ALE

For (1)

1
icon: ID ID
53
3

Czechia ID

For (1)

1

Finland ID

2

Denmark ID

Abstain (1)

1
icon: ECR ECR
55

Germany ECR

1

Romania ECR

Against (1)

1

Belgium ECR

2

Sweden ECR

For (1)

3

Bulgaria ECR

2

Greece ECR

Abstain (1)

1

Slovakia ECR

Against (1)

1

Latvia ECR

For (1)

1
icon: NI NI
37

Germany NI

Abstain (1)

3

France NI

2

Netherlands NI

Against (1)

1

Lithuania NI

1

Croatia NI

Abstain (1)

2

Slovakia NI

Against (1)

2

Latvia NI

Abstain (1)

1
icon: The Left The Left
31

Germany The Left

2

Netherlands The Left

Abstain (1)

1

Belgium The Left

Abstain (1)

1

Sweden The Left

Abstain (1)

1

Finland The Left

Abstain (1)

1

Ireland The Left

3

Denmark The Left

Abstain (1)

1

Cyprus The Left

2
AmendmentsDossier
1015 2020/0359(COD)
2021/05/28 TRAN 54 amendments...
source: 693.632
2021/05/31 AFET 2 amendments...
source: 693.660
2021/06/01 AFET 56 amendments...
source: 693.649
2021/06/03 IMCO 737 amendments...