The European Parliament adopts the NIS 2 Directive

Cyber Policy

The European Parliament adopts the NIS 2 Directive

On Thursday 28 October, the EU Parliament’s committee on Industry, Research and Energy (ITRE) adopted the NIS-2 Directive with 70 votes in favour, 3 against and 1 abstention. This Directive will replace the previous NIS Directive, expanding the scope of cyber resilience and addressing the deficiencies in the first Directive.

In a move to modernise the existing legal cybersecurity framework to reflect the ongoing digital transformation of society, the European Parliament set forward the NIS-2 Directive to update the previous version issued in 2016.

Built on three main pillars, the NIS Directives focus on improving Member State cybersecurity capabilities, developing cybersecurity risk management in the internal market and encouraging information sharing. One of the main changes under the NIS-2 concerns the expansion of the application of cybersecurity to new sectors, additionally introducing a size cap to underline the inclusion of medium and large companies. Meanwhile, the involvement of smaller actors is left to the discretion of Member States, who can decide whether they belong to the critical infrastructure or not.

The NIS-2 Directive is to form one of the baselines for the European cybersecurity framework and to be a central tool in advancing Europe’s strategic autonomy and the Digital Europe Programme.

Compromise Amendment 1 to NIS-2

With the adoption of NIS-2 also comes the adoption of Compromise Amendment 1 (CA 1).  CA 1 stresses the need for “supervision and enforcement obligations on Member States”. It also promotes the development of an integrated technological system, establishing the basis to combine cybersecurity with AI, open source and other emerging technologies.

Generally, CA 1 serves to provide greater detail on a variety of elements of NIS-2, such as essential and important entities – what they entail and what information is required to be submitted to competent authorities. The provision of added guidelines under CA 1 further develops NIS-2 and allows it to continue to target the European cybersecurity ecosystem on a broader scale.

Important to note is how CA 1 brings out the idea of an “active cyber defence” further under NIS-2, including it in the policies that Member States should develop. The adoption of NIS-2 is seemingly promoting not only more stringent regulation but also establishing the building blocks for a strong Digital Europe. The intention appears clearly to move towards deepening the shift of the European cybersecurity framework from a reactive to a proactive approach.

Photo credits: Guillaume Perigoi, Unsplash