Communications networks, content and technology

← Communications networks, content and technology

Strengthening the security of Network and Information Systems (NIS)

Overall state of play:

Evaluation – Finalised: SWD (2020) 345, 16.12.2020
Commission Proposal – Adopted: adopted by the Commission on 16.12.2020, COM (2020) 823
Legal act – Adopted: Directive (EU) 2022/2555 of 14.12.2022

State of play, main conclusions, outlook

In 2013, the Commission proposed to reinforce security of network and information systems in the Union (COM (2013) 48, adopted on 7.02.2013). This was then adopted by the European Parliament and the Council on 6.07.2016 as Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (‘NIS Directive’). It entered into force on 8.08.2016, with transposition deadline for Member States on 10.05.2018, becoming the first piece of EU-wide legislation on cybersecurity and providing legal measures to boost the overall level of cybersecurity in the Union.

A review was supposed to be completed in May 2021 but the Commission decided to accelerate the review to the end of 2020, carry out an impact assessment and propose a new legislative proposal.

The resulting proposal adopted in December 2020 builds on and repeals the NIS Directive. It modernises the existing legal framework taking account of the increased digitisation of the internal market in recent years and an evolving cybersecurity threat landscape.

The proposal also addresses several weaknesses that prevented the NIS Directive from unlocking its full potential. The digital transformation of society (intensified by the COVID-19 crisis) has expanded the threat landscape and is bringing about new challenges, which require adapted and innovative responses. The number of cyber-attacks continues to rise, with increasingly sophisticated attacks coming from a wide range of sources inside and outside the EU.

The evaluation on the functioning of the NIS Directive identified the following issues: (1) the low level of cyber resilience of businesses operating in the EU; (2) the inconsistent resilience across Member States and sectors; and (3) the low level of joint situational awareness and lack of joint crisis response. For example, certain major hospitals in a Member State do not fall within the scope of the NIS Directive and hence are not required to implement the resulting security measures, while in another Member State almost every single healthcare provider in the country is covered by the NIS security requirements.

Estimated savings and benefits

The proposal aims at reducing the regulatory burden for competent authorities and compliance costs for public and private entities. Most notably, this is achieved by abolishing the obligation of competent authorities to identify operators of essential services and by increasing the level of harmonisation of security and reporting requirements to facilitate regulatory compliance for entities providing cross-border services. At the same time, competent authorities will also be given a number of new tasks, including the supervision of entities in sectors so far not covered by the NIS Directive.

The revised NIS envisages balancing the burden that may be created by its requirements, notably from the supervision perspective, on both the new entities to be covered and the competent authorities. To achieve this goal it proposes to establish a two layer approach, with a focus on big and key entities (medium and large-sized entities) and a differentiation of supervisory regime that allows only ex post supervision (i.e. reactive and without a general obligation to systematically document compliance) for a large number thereof, notably those considered ‘important’ yet not ‘essential’.

State of Play

Finalised: SWD (2020) 345, 16.12.2020 (evaluation annexed to the impact assessment report)

Scope:

Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (‘NIS Directive’)

Evaluation findings

Overall, the evaluation found the NIS Directive to be a major first step towards raising the common level of cybersecurity amongst the Member States. It has ensured the completion of national frameworks by defining the national cybersecurity strategies, establishing national capabilities and implementing regulatory measures covering the critical infrastructures and actors identified by each Member State. The directive has also greatly contributed to developing the cooperation at the EU level.

However, the growing interconnectedness and dependence on digital technologies as well as the expanding threat landscape have intensified the need for a strong EU response. Member States capabilities are still unequal and resources are often insufficient leaving certain competent authorities in a position, in which they can no longer effectively fulfil their obligations under the directive.

The main issues identified by the evaluation are:

- The scope of the NIS Directive is too limited in terms of sectors covered.

- The NIS Directive is not sufficiently clear when it comes to the scope for operators of essential services. This has led to a situation in which certain types of entities have not been identified in all Member States and are therefore not required to put in place security measures and report incidents.

- The supervision and enforcement regime of the NIS Directive is ineffective. For example, Member States have been very reluctant to apply penalties to entities failing to put in place security requirements or report incidents. This can have negative consequences for the cyber resilience of individual entities.

- The financial and human resources set aside by Member States for fulfilling their tasks, and consequently levels of maturity in dealing with cybersecurity risks, vary greatly. This further exacerbates the differences in cyber resilience between Member States.

- Member States do not share information systematically with one another, with negative consequences in particular for the effectiveness of the cybersecurity measures and for the level of joint situational awareness at EU level. This is also the case for information sharing among private entities, and for the engagement between the EU level cooperation structures and private entities.

Estimated savings and benefits

The results of the targeted consultation activities concerning the costs and benefits of the NIS Directive have highlighted a lack of quantitative data. The estimates of costs and benefits were not available due to the early stage of the NIS Directive implementation and problems with attribution of costs and benefits of new cybersecurity measures to the new directive, the reluctance of stakeholders to share the data and the difficulty to quantify costs and benefits.

However, the respondents of targeted consultations expressed common view, that they did not incur significant operational, administrative, and compliance costs. The costs that the respondents flagged as the most relevant were compliance costs and, in particular, the duplication of efforts and the time invested to comply with different European legislation, imposing different reporting obligations to different authorities, timelines, and criteria. However, the duplication of reporting requirements due to the lack of external coherence cannot be reported as a direct cost of the NIS Directive.

State of Play

Adopted: adopted by the Commission on 16.12.2020, COM (2020) 823

Which objective(s) did the Commission pursue?

The proposal put forward by the Commission in 2020 aimed to improve further the resilience and incident response capacities of public and private entities, competent authorities and the Union as a whole in the field of cybersecurity and critical infrastructure protection. It built on and repeals Directive (EU) 2016/1148 on security of network and information systems (NIS Directive), which is the first piece of EU-wide legislation on cybersecurity and provides legal measures to boost the overall level of cybersecurity in the Union.

The NIS Directive contributed to improving cybersecurity capabilities at national level by requiring Member States to adopt national cybersecurity strategies and to appoint cybersecurity authorities. It also increased cooperation between Member States at Union level by setting up various fora facilitating the exchange of strategic and operational information. Moreover, the NIS Directive improved the cyber resilience of public and private entities in seven specific sectors (energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and distribution, and digital infrastructures) and across three digital services (online marketplaces, online search engines and cloud computing services) by requiring Member States to ensure that operators of essential services and digital service providers put in place cybersecurity requirements and report incidents.

The proposal aimed to modernise the existing legal framework taking account of the increased digitisation of the internal market in recent years and an evolving cybersecurity threat landscape. Both developments have been further amplified since the onset of the COVID-19 crisis. The proposal also addressed several weaknesses that prevented the NIS Directive from unlocking its full potential.

Estimated savings and benefits

The proposal aimed at reducing the regulatory burden for competent authorities and compliance costs for public and private entities. Most notably, this would be achieved by abolishing the obligation of competent authorities to identify operators of essential services and by increasing the level of harmonisation of security and reporting requirements to facilitate regulatory compliance for entities providing cross-border services. At the same time, competent authorities would also be given a number of new tasks, including the supervision of entities in sectors so far not covered by the NIS Directive.

State of Play

Adopted on 14.12.2022
Directive (EU) 2022/2555
Date of effect: 16.01.2023

Outcome of Legislative Procedure

The Directive (EU) 2022/2555 (‘NIS2 Directive’) has repealed and expanded the scope of the initial legislation. It obliges more entities and sectors to take measures which helps increase the level of cybersecurity in Europe in the longer term. The measures proposed aim to strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU.

Directive (EU) 2022/2555 entered into force on 16 January 2023, and Member States now have 21 months, until 17 October 2024, to transpose its measures into national law.

Estimated savings and benefits

No changes to the estimated costs and benefits in legislative procedure.