Council of the European Union proposals for the NIS2 Directive and CER Directive
In December 2021, the Council of the European Union, of which the presidency was held by Slovenia, reached a consensus on the wording of the NIS2 Directive, due to replace the current NIS Directive (2016/1148) in force since 2016, and the Critical Entity Resilience Directive (CER), due to replace Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European Critical Infrastructures.
The proposals for wording of the directives put forward by the Council of the European Union do not revolutionize the proposals made for the directives by the European Commission at the end of 2020. The changes mainly refine the proposals the EC made one year before.
It is no coincidence that work on the NIS2 Directive and the CER Directive is being conducted at the same time – these directives each complement the other to form a common framework to protect key operators active in the EU. One of the ways in which the proposed solutions complement each other is that the directives specify very similar groups of operators subject to the obligations provided for in the two directives. NIS2 refers to essential entities, while the CER Directive refers to critical entities. The difference is that while the NIS2 Directive is intended to make cyber security laws the same across member states, the CER Directive lays down rules for combating threats other than cyber risk.
The sectors intended to be covered by the two directives are energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration, and space.
The two directives are also intended to strengthen cooperation between member states to fight the emerging threats. In addition to harmonization of laws, new authorities will be set up at EU level to assist with complying with the obligations under the directives. Under the NIS2 Directive, the European Cyber Crises Liaison Organisation Network (EU-CyCLONe) will be set up to coordinate cyber security incidents on a broad scale, while under the CER Directive the Critical Entities Resilience Group will be set up to share information on the issues addressed in that directive.
The position presented by the EU Council means that it can begin negotiations with the European Parliament to agree the final wording of the two directives. When will the directives come into force? Enactment is still a remote prospect – in addition to the time needed for EU bodies to finalize the wording and pass the directives, member states will have two years to transpose them from the moment they take effect.