Background and Rationale
The European Commission has adopted a proposal for a revised Directive on Security of Network and Information Systems (NIS 2 Directive).
The digital transformation of society (intensified by the COVID-19 crisis) has expanded the threat landscape and is bringing about new challenges, which require adapted and innovative responses. Now any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the whole internal market.
To address these challenges, as announced in the Communication on Shaping Europe’s Digital Future, the Commission accelerated the Directive’s review to the end of 2020, carried out an impact assessment and presented a new legislative proposal.
Key Elements of the Commission Proposal
The Commission proposal expands the scope of the current NIS Directive by:
- adding new sectors; and
- introducing a clear size cap.
The proposal also:
Which Sectors are covered?
Energy, Transport, Banking, Financial Market Institutions, Health, Drinking Water, Waste Water, Digital Infrastructure, Public Administrations, Public Administrations, Space, Postal and Courier Services, Waste Management, Chemicals, Food, Manufacturing, and Digital Providers.
The Proposal will be subject to negotiations between the co-legislators, notably the Council of the EU and the European Parliament. Once the proposal is agreed and consequently adopted, Member States will have to transpose the NIS2 Directive within 18 months. The Commission has to periodically review the NIS2 Directive and report for the first time on the review 54 months after the entry into force. The European Commission looks forward to implementing the new Cyber strategy in the coming months.
Is your business included in the covered sectors? Contact us to find out how it affects you. Grant Thornton’s Digital Risk team is experienced in working with clients to achieve their strategic objectives and regulatory requirements. Our team has extensive experience across IT, Cyber, Risk Management and Audit/Assurance services.