The text of the Council’s agreed ‘general approach’ (150-page/ 1.08MB PDF), however, clarifies that NIS2 will not apply to entities carrying out activities in areas like defence or national security, public security, law enforcement and the judiciary.
Parliaments and central banks would also be exempt from NIS2’s scope, though the public administration arms of central governments would not.
Member states would be left to decide whether NIS2 applies to the public administration of their regional and local governments too.
The Council also reduced the directive’s reporting obligations in order to avoid causing “over-reporting and creating an excessive burden on the entities covered”.
EU nations would have two years from NIS2 taking force in which to incorporate the provisions into their domestic law, according to the Council’s text.
NIS2 will also formally establish the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), which will coordinate the bloc’s management of large-scale cyberattacks.
Stuart Davey, cybersecurity expert at Pinsent Masons, said: “One of the main EU-based criticisms of the original NIS directive was the disparate manner in which it was implemented across the EU.”
“While NIS2 is not a regulation – and therefore there remains scope for continued divergence – the introduction of minimum rules will start to narrow down those areas of divergence,” he added.
“That, and the introduction of a broader framework for EU level cooperation, is likely to increase the ability for EU member states to coordinate responses to cross border incidents.”
“It remains to be seen the extent to which any of the changes in NIS2 impact upon the UK, at least in the short term,” Davey said.
“The UK government completed a legislative review of the 2018 NIS regulations last year. It will continue to review them every five years, meaning the next post-implementation review isn’t for another three-odd years.”
“The UK government has expressed a preference for NIS to remain flexible, to adapt to changing circumstances and allow competent authorities to tailor their respective approaches to regulation,” he added.
Agreement over its general approach to NIS2 will allow the Council’s presidency to begin negotiations with the European Parliament next year.
Both the Council and the European Parliament will need to agree to the detail of the final text.