Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive)

What it is

to introduce new measures for a common level of cybersecurity across the EU. PROPOSED ACT: Directive of the European Parliament and of the Council. ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council. BACKGROUND: Directive (EU) 2016/1148 of the European Parliament and the Council aimed at building cybersecurity capabilities across the EU, mitigating threats to network and information systems used to provide essential services in key sectors and ensuring the continuity of such services when facing cybersecurity incidents, thus contributing to the EU's economy and society to function effectively. The Committee on Industry, Research and Energy adopted the report by Bart GROOTHUIS (Renew Europe, NL) on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148. The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows: This Directive should apply to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II who provide their services or carry out their activities within the Union. It should not apply to entities that qualify as micro and small enterprises. No later than 6 months after the transposition deadline, Member States should draw up a list of essential and important entities. This list should be updated regularly and at least every two years. Essential and significant entities should submit at least the following information to the competent authorities : (i) name of the entity, (ii) address and updated contact details, including e-mail addresses, (iii) IP ranges, (iv) telephone numbers and (v) the relevant sector(s) and sub-sector(s) listed in Annexes I and II. Entities should inform the competent authorities of any changes to this information. To this end, the European Union Agency for Cyber Security (ENISA), in cooperation with the Cooperation Group, should issue guidelines and templates on notification obligations as soon as possible. Processing of personal data under the Directive would be carried out in accordance with the General Data Protection Regulation (GDPR). The strategy should also include a framework for the allocation of roles and responsibilities of public bodies and entities and other relevant actors, a single point of contact on cyber security for SMEs, and an assessment of the general level of cyber security awareness among citizens. - a cybersecurity policy for each sector covered by the Directive; - requirements for encryption and the use of open source cyber security products; - a policy related to maintaining the overall availability and integrity of the public core of the open Internet , including the cybersecurity of undersea communications cables; - a policy to promote the development and integration of emerging technologies, such as artificial intelligence, into cybersecurity enhancing tools…

Frequently asked