European Commission to review EU Cybersecurity Directive

The Directive on Security of Network and Information Systems (NIS Directive) (also known as the EU Cybersecurity Directive), was introduced to improve and harmonise the security applied to network and information systems across the EU. This was based on the recognition that network and information systems (and the critical services that they underpin) play a vital role in the economy and may be subject to malicious attacks, which can be damaging to the internal market as a whole as well as individuals and businesses. Businesses subject to the NIS regime may be required to comply with a number of obligations (for example, putting in place appropriate and proportionate security measures to protect their systems; reporting incidents to their designated competent authorities within certain time periods; and managing their supply chains).

The EC now considers a revision to the NIS Directive necessary as Member States have chosen to implement the NIS Directive in different ways, leading to a lack of consistency in the level of protection provided across the EU.

The EC is seeking views from a broad category of groups including Member States’ competent authorities, union bodies dealing with cybersecurity, OESs¹, RDSPs² and businesses in other ‘vulnerable’ sectors outside the scope of the current NIS Directive.

At this preliminary stage, the EC is considering a range of potential solutions to address the lack of harmonisation, including:

• introducing guidelines and codes of practice to address areas of inconsistency;
• making targeted changes to the NIS Directive to address shortcomings; and
• replacing the NIS Directive with a new framework. As part of this, the EC has indicated that it may extend the scope of the NIS Directive to cover other sectors and services not currently covered.

The latter option in particular will be of interest to businesses currently outside the scope of the NIS Directive who may find themselves subject to a new NIS-type regime, raising additional compliance obligations.

Next steps

The review is due to be completed by the end of 2020 and stakeholders are invited to provide feedback on the review document until 13 August 2020. A separate public consultation was launched on 7 July 2020 and is due to close on 2 October 2020. Businesses should monitor the progress of the consultations and those in scope of the current NIS regime (or in other ‘vulnerable’ sectors) may wish to consider feeding their views into the consultations.

¹ Operators of essential services (OES) – operators of essential services in industries like healthcare, transport, energy, banking and financial market infrastructure, digital infrastructure and water supply.
² Relevant digital service providers (RDSPs) – operators of online marketplaces, online search engines and cloud computing services meeting certain revenue and staff thresholds.