High common level of network and information security across the Union. NIS Directive

The Commission supports the results of the inter-institutional negotiations and can therefore accept the Council's position at first reading on the adoption of a Directive of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union.

The Commission noted that overall the Council’s position endorses the core objectives of the Commission proposal, namely to ensure a high common level of security of network and information systems. However, the Council makes a number of changes regarding how to achieve this goal.

National cybersecurity capabilities: under the Council position, Member States will be required to adopt a national NIS strategy setting out the strategic objectives and appropriate policy and regulatory measures for cybersecurity. Member States will also be required to designate a national competent authority for the implementation and enforcement of the Directive, as well as Computer Security Incident Response Teams (CSIRTs) responsible for handling incidents and risks. Although the Council position does not require Member States to adopt a national NIS cooperation plan, as envisaged in the original proposal, the position can be supported as some aspects of the cooperation plan are retained in the provision on the NIS strategy.

Cooperation between Member States: under the Council position, the Directive will: (i) create a ‘Cooperation Group’ to support and facilitate strategic cooperation and the exchange of information between the Member States; (ii) create a network of Computer Security Incident Response Teams, known as the CSIRTs Network, to promote swift and effective operational cooperation on specific cybersecurity incidents and the sharing of information about risks.

Though substantively different from the approach taken in the original proposal, the Council position can be supported as it corresponds overall to the objective of improving cooperation between Member States.

Security and notification requirements for operators of essential services: the Commission noted that the Council did not support an obligation for national competent authorities to notify incidents of a criminal nature to law enforcement authorities.

As per the original proposal, the Council position covers such operators in the energy, transport, banking, financial market infrastructures and health sectors. However, the Council position includes additionally the water and digital infrastructure sectors.

Member States will be required to identify these operators on the basis of certain criteria, such as whether the service is essential for the maintenance of critical societal or economic activities. Although this identification process was not part of the original proposal, it can be accepted given the Member States’ obligation to submit to the Commission the information it needs to assess whether Member States are using consistent approaches to identify operators of essential services.

Security and notification requirements for digital service providers: the Council position covers online marketplaces (equivalent to e-commerce platforms in the original proposal), cloud computing services and search engines.

Compared with the original proposal, the Council position does not include: (i) internet payment gateways – these are now covered by the revised Payment Services Directive; (ii) application stores – these are to be understood as being a type of online marketplace; (iii) social networks – as per the Council’s political agreement with the European Parliament.

The Commission has been granted implementing powers for laying down procedural arrangements necessary for the functioning of the Cooperation Group as well as to specify further certain elements concerning DSPs, including the formats and procedures applicable to DSPs notification requirements.