European Parliament and Council reach a provisional agreement on the cybersecurity Directive
On 12 May 2022, the Council of the European Union and the European Parliament reached a provisional agreement on measures to ensure a high level of cyber security across the EU. The new cybersecurity Directive (NIS2 Directive) will replace the earlier Directive on security of network and information systems (NIS Directive). Its objective is to improve the level of cybersecurity both in the EU as a whole and in Member States in terms of critical sectors and operators.
"Finland has actively contributed to the discussion on the proposal during the negotiations. The proposal is in line with Finland's own policies and measures concerning information security and data protection," says Minister of Transport and Communications Timo Harakka.
The proposal sets out risk management obligations for critical sectors of society to strengthen cyber security as well as obligations to report on cyber incidents. The proposal would extend the scope of regulation to new sectors and operators, including public administration, the food sector and waste management. It would also continue the existing cooperation mechanisms and strengthen the cooperation.
The Directive establishes a European Cyber Crises Liaison Organisation Network (EU - CyCLONe) to support the coordinated management of large-scale cybersecurity incidents. Finland's representative in the network is the National Cyber Security Centre of the Transport and Communications Agency.
The Commission's proposal is an important part of the new EU Cyber Security Strategy adopted in December 2020 and its objectives.
What's next?
The provisional agreement reached will now have to be adopted by both the Council of the EU and the European Parliament. The French Presidency will soon submit the provisional agreement for adoption to the Permanent Representatives Committee. The Council is expected to adopt the final Directive text at the end of May or in the beginning of June.
According to preliminary information, the Directive will be published in autumn 2022. The Member States have 21 months from the entry into force of the Directive to implement its provisions into their national legislation.
Inquiries:
Marième Korhonen, Senior Specialist, tel. +358 50 535 0433, [email protected]
Sonja Töyrylä, Senior Officer, tel. +358 50 438 4729, [email protected]
Maija Ahokas, Director of Unit, tel. +358 40 031 6178, [email protected]
Council of the EU's press release, 13 May 2022: Strengthening EU-wide cybersecurity and resilience – provisional agreement by the Council and the European Parliament