EU: Council announces provisional agreement with Parliament on NIS2 Directive
The Council of the European Union ('the Council') announced, on 13 May 2022, that it had reached a provisional agreement with the European Parliament ('the Parliament') on the proposal for a revised Directive on Security of Network and Information Systems ('NIS2'). In particular, the Council confirmed that it had agreed on measures for a high common level of cybersecurity across the EU, to further improve the resilience and incident response capacities of both the public and private sectors, as well as the EU as a whole. Specifically, the Council noted that NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by NIS2, such as energy, transport, health and digital infrastructure. Furthermore, NIS2 aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different Member States. Additionally, the Council highlighted that, to achieve this, NIS2 sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each Member State. In light of this, NIS2 updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.
Moreover, the Council, alongside the European Parliament, had aligned the text with sector-specific legislation, notably the Digital Operational Resilience Act ('DORA') and the Directive on the Resilience of Critical Entities ('CER'), to provide legal clarity and to ensure coherence between NIS2 and such acts.
Lastly, the Council added that the provisional agreement is now subject to approval by the Council and the Parliament and that, in relation to the Council, the French presidency intends to submit the agreement to the Council's Permanent Representatives Committee for approval.
You can read the press release here.