NIS Directive, the European Commission's consultation under way

Article
Camilla Palla
cybersecurity

In a historical period like the current one, in which we are becoming increasingly dependent on digital, cybersecurity acquires a crucial importance in the lives of all European citizens. With this in mind, the Commission has officially opened the public consultation on the future revision of Directive (EU) 2016/1148, also known as the NIS Directive, on measures for a common high-level network and information system security in the Union.

The Directive is the Union’s first horizontal tool to protect the internal market. Its main objective is to increase the level of resilience in the Union against cybersecurity risks. The Directive identifies seven policy areas that are closely linked to the security dimension, namely energy, transport, banking, financial markets, health, supply and distribution of drinking water and digital infrastructure, as well as search engines, clouds and online platforms. These sectors are vital for the stability of the internal market and are highly dependent on digital technologies. In fact, the tool includes an obligation for companies operating in the internal market and governments to take measures to prepare, respond and recover services following cyber incidents, the establishment of a risk assessment plan and cybersecurity training and awareness programmes.

The launch of the public consultation is in line with the regular review of the NIS Directive, provided for in Article 23 of the same measure, with the aim of verifying its functioning and application in each Member State. The review should take place as announced by the Commission and in line with the policy objective of making “Europe fit for the digital age” by the end of 2020. In this way, the review would take place earlier than foreseen in the above-mentioned article, initially scheduled for May 2021.

The review has a threefold objective: to assess qualitatively and quantitatively the possible improvement of cybersecurity in the EU, to identify existing and potentially emerging key security issues affecting the functioning of the Directive, and to identify and quantify the regulatory costs and benefits.

The results of the Commission’s evaluation, together with those emerging from the public consultation, will form the foundation for potential regulatory action to strengthen and update the tool in the light of new evidence.

The key objective remains to increase national and EU security preparedness by strengthening the capacity to prevent, detect and mitigate cyber threats. This regulatory framework aims at reducing the fragmentation of the internal market by increasing the level of harmonisation of requirements applied to all stakeholders within the identified key areas.

The public consultation will be open to all citizens and key stakeholders in the sectors concerned, as well as institutional bodies within individual Member States. Comments and opinions will be received until 2 October 2020.