EU Com­mis­si­on pre­pa­res revi­si­on of the NIS Directive

The Direc­ti­ve “con­cer­ning mea­su­res for a high com­mon level of secu­ri­ty of net­work and infor­ma­ti­on sys­tems across the Uni­on” (the NIS Direc­ti­ve, for short), which took effect in 2016, repre­sen­ted the first attempt by Euro­pean law­ma­kers to crea­te a stan­dard level of IT secu­ri­ty for cri­ti­cal infra­struc­tu­re in Euro­pe. To this end, mini­mum requi­re­ments were adopted for ope­ra­tors of essen­ti­al ser­vices and digi­tal ser­vice pro­vi­ders, as well as report­ing duties in case of secu­ri­ty inci­dents. The Direc­ti­ve also cal­led for buil­ding up cyber­se­cu­ri­ty capa­ci­ty Europe-wide and encou­ra­ging mem­ber sta­tes to coope­ra­te more clo­se­ly in this area. The sec­tors affec­ted by the Direc­ti­ve include the finan­cial and insu­rance sec­tors, health care, ship­ping and trans­por­ta­ti­on, ener­gy, water, food and bevera­ge and digi­tal infra­struc­tu­re, as well as key pro­vi­ders of digi­tal ser­vices, such as online mar­ket­places and search engi­ne operators.

But now, four years after it took effect, a cur­rent initia­ti­ve of the EU Com­mis­si­on calls for a review and revi­si­on of the Direc­ti­ve. Part of the pro­cess is a public con­sul­ta­ti­on con­cer­ning the Commission’s road map, which began on 25 June 2020 and is sche­du­led to con­clude on 13 August 2020. The Commission’s first objec­ti­ve is to cla­ri­fy whe­ther the level of IT secu­ri­ty in Euro­pe has in fact impro­ved. But the Com­mis­si­on would also like to iden­ti­fy cur­rent and future chal­lenges in this area and, ulti­m­ate­ly, to eva­lua­te the cos­ts and bene­fits of regu­la­ti­on. Along­side this first pha­se of the con­sul­ta­ti­on pro­cess, the Com­mis­si­on is also con­duc­ting a questionnaire-based eva­lua­ti­on of the Direc­ti­ve, which began on 7 July 2020 and is sche­du­led to con­clude on 2 Octo­ber 2020.

Even at this ear­ly date, it is alre­a­dy evi­dent that the Com­mis­si­on is high­ly likely to make chan­ges to the NIS Direc­ti­ve and that we can expect requi­re­ments for ope­ra­tors to beco­me stric­ter, as was the case with the IT Secu­ri­ty Act 2.0. The­re is also talk of with­dra­wing the Direc­ti­ve in favor of a sin­gle set of rules, pos­si­bly even in the form of a Regu­la­ti­on. It remains unclear how the pre­vious­ly men­tio­ned efforts by the Ger­man govern­ment to enact natio­nal rules by way of the revi­sed IT Secu­ri­ty Act will accord with plans at the Euro­pean level. It appears enti­re­ly pos­si­ble that the Ger­man govern­ment will end up imple­men­ting key aspects of the new rules on its own, as was the case when the NIS Direc­ti­ve was first intro­du­ced. In this case, the­re is likely to be ten­si­on bet­ween Ger­man and Euro­pean law.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.