Recently, the European Parliament and EU member states reached a political agreement on

the Directive on measures for a high common level of cybersecurity across the Union
(Network and information systems 2 Directive). The directive was proposed in December
2020.

On account of the increasing degree of digitalization and interconnectedness in society, the

commission noted concern on the rising number on the rising number of malicious activities
at the global level and decided to update the 2016 NIS directive (Directive (EU) 2016/1148).
The new directive aims at improving cybersecurity and the resilience of both public and
private sector entities in the European Union.

In the series of control over the ill effects of the digital revolution, recently, the European
Commission proposed a plan to "detect, report, block, and remove" child sexual abuse images
and videos from online service providers, including messaging apps, an action that prompted
concerns that it may undermine end-to-end encryption (E2EE) protections. In a similar vein,
the draft version of NIS2 explicitly spells out that the use of E2EE "should be reconciled with
the Member States' powers to ensure the protection of their essential security interests and
public security and to permit the investigation, and detection and prosecution of criminal
offences in compliance with Union law.",

THE ISSUE WITH NIS DIRECTIVE

The scope of implementation left to the member states led to the fragmentation across states.
The reasons for such fragmentation include the unclear delimitation of the NIS Directive's
scope of application, security and incident reporting obligations, and the supervision and
enforcement requirements.

NIS 2

Scope:

With a significant increase in the number of entities covered, the NIS2 obliges more sectors
to take technical and organisational measures to manage risks posed to the security of
networks and information systems. In fact, where the NIS Directive included in its scope of
application operators of essential services and digital services providers, the NIS 2 Directive
proposes to replace the same with two new categories of entities
Now the NIS2 Includes:

 Annex I: ‘Essential sectors’ covered by the new security provisions include: health,
energy, transport, banking, digital infrastructure, public administration and space
sectors.
 Annex II: ‘Important sectors’ include: entities manufacturing medical devices,
postal services, waste management, food production and processing and digital
providers.

Public and Private:

Article 2 of the NIS 2 Directive establishes that the directive applies to certain public and
private 'essential entities' operating in the sectors listed in Annex I of the Directive (energy,
transport, banking, financial market infrastructures, health, drinking water, wastewater,
digital infrastructure, public administration, and space) and to certain 'important entities'
operating in the sectors listed Annex II of the NIS 2 Directive (postal and courier services,
waste management, manufacture, productions, and distribution of chemicals, food
production, processing, and distribution, manufacturing, and digital providers). In addition, a
size-cap rule is introduced, according to which all medium and large entities, as defined by
Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of
micro, small and medium-sized enterprises, operating in the abovementioned sectors, would
automatically fall within the NIS 2 Directive's scope of application (Recital 8 of the NIS 2
Directive).

Flagging & Into Effect:

The revamped legislation requires the flagging of cyber securities incidents within 24 hours
of the reporting, falling which monetary penalties can be imposed. Also, as agreed by the
agreement, the European Union member states are mandated to incorporate the provisions
into their national law within a period of 21 months from when the directive goes into force.

Note:  For the adoption of the NIS 2 Directive, both the Parliament and the Council, as co-
legislators, will need to agree on the final text.