European Parliament adopts its approach to the NIS2 Directive to strengthen cybersecurity obligations

The European Commission’s proposal for NIS2 will broaden the scope of the current NIS Directive to apply to additional important sectors (such as public administration, providers of public electronic communications networks and services, further digital service providers, postal services, manufacturers of chemicals, medical devices and pharmaceuticals, food and waste water management). It also seeks to address the limitations of the current regime, particularly the diverging approaches taken by different EU Member States, which have led to legal fragmentation of applicable obligations and ultimately inadequate levels of cybersecurity across the EU. You can read about the European Commission’s proposal for NIS2 in Allen & Overy’s alert.

Compared to the European Commission’s proposal, the European Parliament’s text includes the following key changes:

• the minimum cybersecurity risk management measures are expanded to include the use, where appropriate, of cryptography (such as encryption), multi-factor authentication, secured voice, video and text communications, as well as secured emergency communications systems;
• requirements for incident reporting have been further increased and adjusted, with differentiation made between incident reporting obligations based on the nature of the incident (e.g. an impact on availability of service, which can easily be assessed, should be reported within 24 hours of the incident, whereas an issue affecting the confidentiality of the network and data integrity-related incidents, taking longer to investigate, should be reported within 72 hours);
• a requirement for Member States to establish a single point of contact (referred to as ‘single entry point’ in the provisional text) for all notification obligations under NIS2 . Entities can meet their notification obligations for significant incidents by notifying the CSIRT of the Member State in which they have their main establishment within the EU;
• the provisions relating to data sharing are fine-tuned to protect sensitive information shared companies with authorities. They are also expanded to include additional types of information that companies may share in relation to cybersecurity (e.g. metadata and content data, near misses, indicators of compromise, actor specific information, industrial espionage tactics etc.);
• provisions regarding the scope of NIS2 are amended (e.g. proposing to specifically exclude “root name” servers).

The ITRE Committee’s report and the negotiation mandate were confirmed on 10 November 2021 during the European Parliament’s plenary session.  EU Member States are still working on their common approach in the Council of the European Union. The most recent compromise proposal of the Council on NIS2 was prepared by the Presidency of the EU on 27 October 2021, however, this (and other recent) versions of the Council’s proposal are not publicly accessible. The most recent progress report released by the Council to date is available here (17 May 2021).

Read the press release of the European Parliament, the preliminary text of the European Parliament's amendments and the legislative file.