EU Commission prepares revision of the NIS Directive
The Directive "concerning measures for a high common level of security of network and information systems across the Union" (the NIS Directive, for short), which took effect in 2016, represented the first attempt by European lawmakers to create a standard level of IT security for critical infrastructure in Europe. To this end, minimum requirements were adopted for operators of essential services and digital service providers, as well as reporting duties in case of security incidents. The Directive also called for building up cybersecurity capacity Europe-wide and encouraging member states to cooperate more closely in this area. The sectors affected by the Directive include the financial and insurance sectors, health care, shipping and transportation, energy, water, food and beverage and digital infrastructure, as well as key providers of digital services, such as online marketplaces and search engine operators.
But now, four years after it took effect, a current initiative of the EU Commission calls for a review and revision of the Directive. Part of the process is a public consultation concerning the Commission's road map, which began on 25 June 2020 and is scheduled to conclude on 13 August 2020. The Commission's first objective is to clarify whether the level of IT security in Europe has in fact improved. But the Commission would also like to identify current and future challenges in this area and, ultimately, to evaluate the costs and benefits of regulation. Alongside this first phase of the consultation process, the Commission is also conducting a questionnaire-based evaluation of the Directive, which began on 7 July 2020 and is scheduled to conclude on 2 October 2020.
Even at this early date, it is already evident that the Commission is highly likely to make changes to the NIS Directive and that we can expect requirements for operators to become stricter, as was the case with the IT Security Act 2.0. There is also talk of withdrawing the Directive in favor of a single set of rules, possibly even in the form of a Regulation. It remains unclear how the previously mentioned efforts by the German government to enact national rules by way of the revised IT Security Act will accord with plans at the European level. It appears entirely possible that the German government will end up implementing key aspects of the new rules on its own, as was the case when the NIS Directive was first introduced. In this case, there is likely to be tension between German and European law.