Council of the EU agrees common approach to NIS2 Directive

The Council’s common approach follows the European Parliament’s decision on the text reached on 28 October 2021, summarised in our blog here.

Compared to the initial proposal for NIS2, the Council has introduced a number of significant changes, including the following:

• modifying the provisions that widen the scope of the current NIS Directive to cover all medium-sized and large organisations that operate within certain sectors - while maintaining the proposed size-cap rule, the Council introduced additional criteria to determine the entities to be covered by NIS2;
• expressly excluding from the scope entities operating in defence or national security, public security, law enforcement and the judiciary, as well as parliaments and central banks;
• clarifying that public administration entities of central governments will be covered by NIS2, and Member States will be able to expand the scope to such entities at regional and local level;
• aligning the text with other proposed sector-specific legislation, including the proposed Directive on the resilience of critical entities (CER Directive) and the proposed Regulation on digital operational resilience for the financial sector (DORA), both currently debated by EU legislators;
• simplifying incident reporting obligations to avoid over-reporting; and
• extending the period for Member States to transpose NIS2 into national law to two years (from 18 months). 

For more information on the initial proposal for NIS2, see our 2020 publication New EU Cybersecurity Strategy: European Commission accelerates push for EU to lead in cybersecurity regulation.  Read this recent blog post on the European Parliament's position on NIS2.

Read the EU Council's press release 'Strengthening EU-wide cybersecurity and resilience – Council agrees its position', and the approved text.