The European Union adopted the Network and Information Security Directive, known as the NIS Directive, back in 2016. If you work in the field of IT and cybersecurity, or if you are an operator of an essential service, then you have likely already encountered this directive. Now, the European Union is expanding this framework with a new directive on cybersecurity—the so-called NIS2.
The European Union adopted the Network and Information Security Directive, known as the NIS Directive, back in 2016. If you work in the field of IT and cybersecurity, or if you are an operator of an essential service, you have likely already encountered this directive. Its full official title is Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of security of network and information systems across the Union. Now the European Union is expanding this framework with a new directive on cybersecurity—the so-called NIS2.
NIS2 Timeline
The first information regarding the amendment and expansion of NIS was published as early as late 2017, less than two years after the adoption of this directive. The Parliament called for attention to be focused on the security of all devices subject to cybersecurity requirements and for measures to be adopted to promote a security-by-design approach. In doing so, the Parliament effectively urged Member States to accelerate the establishment of teams tasked with addressing cybersecurity emergencies, through which businesses and consumers can report malicious emails and websites, as provided for in the NIS Directive.
Subsequently, in a resolution dated March 12, 2019, the European Parliament called on “... the Commission to assess the need to further extend the scope of the NIS Directive to other critical sectors and services not covered by specific sectoral legislation.”
Following that resolution, the Commission worked intensively for nearly two years on the new NIS2 Directive, presenting on December 16, 2020, a proposal for a directive on measures to achieve a high common level of cybersecurity across the Union (NIS2), which would repeal and replace the existing NIS Directive (NIS1).
Within the European Parliament, the NIS2 agenda was assigned to the Committee on Industry, Research, and Energy. The committee adopted its report on October 28, 2021, and at the same time adopted a mandate to begin interinstitutional negotiations. The European Council approved its participation in the approval process on December 3, 2021. Together, the co-legislators reached a provisional agreement on the text on May 13, 2022. The text must now be formally adopted by both institutions, with the Parliament set to vote on it in plenary in the coming months—we expect this vote to take place by the end of 2022. Member states will then have 21 months (instead of the originally proposed 18 months) to transpose the directive into national law. We are already familiar with the proposal and the main changes that the NIS2 Directive will bring.
We expect the NIS2 Directive to take effect and be transposed in the Slovak Republic by 2024.
