EU CNCL NIS2 Cybersecurity Directive


On May 13, EU CNCL issued provisional agreement by Council and EP.


  • Provisional agreement on strengthening EU-wide cybersecurity and resilience (NIS2).
  • Follows EU CNCL Jan. 2022 note with four-column table on proposal, see #120137.
  • Follows ECB Apr. 2022 supported proposed EU cybersecurity directive, see #135135.
  • Provisional Agreement
  • Council and EP agreed on measures for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of EU.
  • Once adopted, the new directive, called NIS2, will replace the current directive on security of network and information systems (the NIS directive).
  • Stronger Risk and Incident Management
  • NIS2 will set the baseline for cybersecurity risk management and reporting obligations across all sectors covered by the directive, such as energy, transport, health, digital.
  • The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states.
  • To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among the authorities in each member state.
  • It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.
  • Directive will formally establish European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support coordinated management of large-scale incidents.
  • Widening Scope of the Rules
  • While under old directive states were responsible for which entities meet criteria to qualify as operators of essential services, new NIS2 directive introduces size-cap rule.
  • This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.
  • While agreement between EP and the Council maintains this general rule, provisionally agreed text includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for determining the entities covered.
  • Text also clarifies that directive will not apply to entities carrying out activities in areas such as defense or national security, public security, law enforcement and the judiciary.
  • Parliaments and central banks are also excluded from the scope.
  • As public administrations are also often targets of cyberattacks, NIS2 will apply to public administration entities at central and regional level; in addition, member states may decide that it applies to such entities at local level too.
  • Other Changes
  • EP and the Council have aligned the text with sector-specific legislation.
  • In particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts, see #137568.
  • Voluntary peer-learning mechanism will increase mutual trust and learning from good practices/experiences, contributing to achieving high common level of cybersecurity.
  • The two co-legislators have also streamlined the reporting obligations in order to avoid causing over-reporting and creating an excessive burden on the entities covered.
  • Effectiveness
  • The provisional agreement is now subject to approval by the Council and the EP.
  • On the Council’s side, the French presidency intends to submit the agreement to the Council’s Permanent Representatives Committee (COREPER) for approval soon.
  • Once published in OJ, directive will enter into force 20 days after publication; Member States will then need to transpose the new elements of the directive into national law.
  • Member States will have 21 months to transpose the Directive into national law.
  • EC Statement
  • On the same day, EC issued statement welcoming political agreement on new rules.
  • Noted that NIS 2 directive now covers medium and large entities from more sectors that are critical for the economy and society, including providers of public electronic communications services, digital services, waste water and waste management.
  • Manufacturing of critical products, postal and courier services, public administration.
  • It also covers more broadly the healthcare sector, for example by including medical device manufacturers, given increasing security threats that arose during Covid-19.
  • The expansion of the scope covered by the new rules, by effectively obliging more entities and sectors to take cybersecurity risk management measures, will help increase the level of cybersecurity in Europe in the medium and longer term.
  • NIS 2 directive also strengthens cybersecurity requirements imposed on companies, addresses security of supply chains/supplier relationships; introduces accountability of top management for non-compliance with the cybersecurity obligations.
  • It also streamlines reporting obligations, introduces more stringent supervisory measures for national authorities, as well as stricter enforcement requirements.
  • It will help increase information sharing and cooperation on cyber crisis management.
  • In May 2022, EU CNCL issued conclusion on cyber posture development, see #138675.
  • Nov. 10, 2022 EP Adopted Text
  • On Nov. 10, 2022, EP announced it adopted the text agreed for the NIS 2 Directive.
  • The new law sets tighter requirements for businesses, administrations, infrastructure.
  • As differing national cybersecurity measures make EU more vulnerable; new essential sectors are now covered such as energy, transport, banking, health.
  • Text, already agreed between MEPs and Council in May, will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing.
  • The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions.
  • Also establishes a framework for better cooperation and information sharing between different authorities and Member States and creates European vulnerability database.
  • After EP’s approval, Council has to formally adopt it pre publication in official journal.
  • Nov. 11, 2022 EU CNCL Approval
  • On Nov. 11, 2022, EU CNCL issued information note on the EP's first reading position.
  • Parliament's position reflects what had been previously agreed between institutions.
  • The Council should therefore be in a position to approve the Parliament's position.
  • Act would then be adopted in wording which corresponds to the Parliament's position.
  • Nov. 11, 2022 EP Update
  • On Nov. 11, 2022, EP issued information on adopted NIS2 and EU cybersecurity laws.
  • With rapidly expanding digitalization of daily life, further accelerated by the pandemic, protection against cyber threats has become essential for society to function properly.
  • In Nov. 2022, EP updated EU law to bolster investment in strong cybersecurity for essential services and critical infrastructure and strengthen EU-wide rules.
  • After approval of Nov. 10, it will also need to be approved by EU States in the Council, after which Member States will have 21 months to implement it; more detail provided.
  • Because the financial sector is more and more dependent on software and digital processes, it also needs increased protection: DORA will ensure the EU's financial sector is more resilient to severe operational disruptions and cyber-attacks (#137568).
  • EP gave final approval to it on Nov. 10, 2022, previously agreed text with the Council.
  • Introduces and harmonizes digital operational resilience requirements for EU’s financial services sector, obliging companies to make sure that they can withstand, respond to, recover from all types of ICT related disruptions and threats.
  • To apply to all companies providing financial services e.g. banks, payment providers.
  • E-money providers, investment firms, crypto-asset service providers, critical ICT third-party service providers; national authorities will supervise and enforce implementation.
  • Nov. 17, 2022 EU CNCL Final Text
  • On Nov. 17, 2022, EU CNCL issued final text of the NIS2 directive (PE-CONS 32/22).
  • Directive shall enter into force on 20th day following that of its publication in the OJ.
  • Nov. 18, 2022 EU CNCL Adoption
  • On Nov. 18, 2022, EU CNCL issued item note concerning adoption of the new directive.
  • COREPER asked to confirm its agreement and to suggest that the Council approve the EP's position, as set out in PE-CONS 32/22, as an ‘A’ item at a forthcoming meeting.
  • If Council approves the European Parliament's position, legislative act will be adopted.
  • Nov. 22, 2022 Croatia Statement
  • On Nov. 22, 2022, EU CNCL issued an amended item note on the proposed adoption incorporating a reference to a statement made by Croatia, concerning its discontent with the Croatian equivalent of the English term 'cyber' used in the Croatian version.
  • Nov. 28, 2022 EU CNCL Adopt NIS2
  • On Nov. 28, 2022, EU CNCL announced adoption of NIS2 on cybersecurity across EU.
  • To improve resilience and incident response capacities of both public, private sectors.
  • NIS2 will replace current directive on security of network, information systems (NIS).
  • NIS2 introduces a size-cap rule as a general rule for identification of regulated entities.
  • It means all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope; more details provided.
  • Aligned with sector-specific legislation, in particular DORA and resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and those.
  • It will be published in EU Official Journal in coming days, enter into force 20 days after.
  • EU States will have 21 months from the entry into force to transpose it to national law.
  • Dec. 15, 2022 Adopted Text
  • On Dec. 15, 2022, EU CNCL issued final adopted text of NIS2 directive, dated Dec. 14.
  • Directive shall enter into force on the 20th day following that of publication in the OJ.
  • By 21 months after the date of entry into force of this directive, Member States shall adopt and publish the measures necessary to comply with the directive.
  • They shall immediately inform the European Commission of those measures; they shall apply those measures from one day after the date referred to in the bullet point above.
  • Dec. 27, 2022 Official Journal
  • On Dec. 27, 2022, EU CNCL issued final NIS2 Dir 2022/2555 in the Official Journal.
  • By Oct. 17, 2024, Member States shall adopt and publish the measures necessary to comply with the directive; they shall immediately inform the Commission thereof.
  • They shall apply those measures from Oct. 18, 2024; directive shall enter into force on 20th day following that of its publication in Official Journal of the EU, Jan. 16, 2023.
  • Sep. 14, 2023 Article 3(4) Guidance
  • On Sep. 14, 2023, EU CMSN issued guidelines on application of Article 3(4) of NIS2.
  • For the purposes of establishing the list of essential and important entities, Member States should require entities to submit at least the following information to the NCAs:
  • The name, address and up-to-date contact details, including the email addresses, IP ranges and telephone numbers of the entity; and, where applicable, relevant sector and subsector referred to in the annexes; as well as, where applicable, a list of the Member States where they provide services falling within the scope of the Directive.
  • Appendix sets out a template for collection of that information for purposes of the list.
  • Sep. 18, 2023 Article 4(1), (2) Guidance
  • On Sep. 18, 2023, EU CMSN issued guidelines on application of NIS2, Article 4(1), (2).
  • Guidelines clarify application of provisions which concern the relationship between Dir 2022/2555 and current and future sector-specific Union legal acts addressing cybersecurity risk-management measures or incident reporting requirements.
  • The Appendix to the guidelines lists the sector-specific Union legal acts that the Commission considers to fall within the scope of Article 4 of Directive (EU) 2022/2555.
  • The fact that an act is not listed in that Appendix does not necessarily mean that it does not fall within the scope of that provision.
  • In application of Article 4(3), third sentence, of Dir 2022/2555, the Commission took account of the observations of the NIS Cooperation Group and the European Union Agency for Cybersecurity (ENISA) prior to the adoption of the present guidelines.
  • Dec. 2023 Corrigendum
  • On Dec. 22, 2023, EU CNCL issued corrigendum to Dir 2022/2555; on page 125, the first sentence of Article 19(1) is amended as follows: 1. The Cooperation Group shall, on 17 January 2025, establish, with the assistance … changed to: 1. The Cooperation Group shall, by 17 January 2025, establish, with the assistance … .
  • In Apr. 2024, EC launched initiative re NIS 2 implementing regulation, see #209848.
  • In Jun. 2024, EU CMSN issued NIS2 draft regulation and annex, see #217558.

Regulators EP; EU CMSN; EU CNCL
Entity Types CNSM; Corp
Reference OJ L, 12/22/2023; OJ C 328/2, 9/18/2023; OJ C 324/2, Gd, 9/14/2023; OJ L 333/80, 12/27/2022; PR, 12/15/2022; Dir 2022/2555, PE-CONS 32/2/22 REV 2, 12/14/2022; PR 11/28/2022; PR, 14828/1/22 REV 1, 11/22/2022; PR, 14828/22, 11/18/2022; PR, PE-CONS 32/22, 11/17/2022; PR, 20221103STO48002, 14617/22, 11/11/2022; P9_TA(2022)0383, PR, 20221107IPR49608, 11/10/2022; PR IP/22/2985, 5/13/2022; 2020/0359(COD), COM(2020) 823 final; Rpl NIS Dir 2016/1148; DORA; CER; Citation: PE-CONS 32/22; NIS2 Dir 2022/2555;
Functions BCS; Compliance; Cyber; Financial; Legal; Operations; Privacy; Risk; Technology; Treasury
Countries Croatia; European Union
Category
State
Products Corporate
Regions EMEA
Rule Type Final
Rule Date 5/27/2022
Effective Date 10/18/2024
Rule Id 137905
Linked to Rule :209848
Reg. Last Update 12/22/2023
Report Section EU

Last substantive update on 12/28/2023