Progress on the NIS Directive reform

France, which holds the current presidency of the EU, announced prior to its term that it would endeavour to push forward negotiations on the NIS 2.0 Directive (the Directive on security of networks and information systems). The Council’s general approach on the directive reform was confirmed by the Transport, Telecommunications and Energy Council on 3 December 2021 and trilogue negotiations have since then kicked off energetically.

The first negotiations between the European Commission, Parliament and Council were held on 13 January 2022, and the parties recognised the significance of the legislative initiative and the need to agree on its content as soon as possible. The issues identified as most critical included mandatory notifications concerning cyber-threats and disruptions (Article 20) and matters related to the scope of the directive (Article 2). The Council had more reservations than the other parties regarding adding new sectors to the directive, because the enforcement of the old NIS Directive is still partly incomplete as it is.

The French presidency was satisfied with these initial talks and predicted that final consensus could be reached as early as April. The second trilogue held on 17 February focused on the scope, the role of the CSIRTs, fines, transposition, the use of delegated and implementing acts, and the Parliament’s role in the implementation of the directive. The following trilogues are agreed for 15 March and 25 April, in addition to back-up date scheduled for 12 May, so the Directive is expected to be completed during the French presidency.

The proposal of the Council includes worthy changes to increase the proportionality, risk management, and criticality criteria of the stipulations of the directive. However, it is important to leave national room for manoeuvre as to the scope and sanction system. We are happy to see that the Council’s proposal reduces the administrative sanctions included in the original proposal.

According to the current draft, the NIS 2.0 Directive must be transposed into national legislation within 24 months of entry into force, which means that the new obligations would come into effect at the earliest in 2024. The extension added to the original proposal is welcome, even indispensable, due to the extensive scope of the directive.

In a statement to the Finnish Parliament’s Transport and Communications Committee, FiCom brought to attention the importance of having a single entry point for notifications. The current legislation already sets strict deadlines, and if entities are expected to notify two or even three different authorities regarding certain situations, this must be possible to do simultaneously and with the same deadlines for all of them. All overlapping regulation and reporting should be avoided.

Asko Metsola, Legal Affairs, FiCom