Explanatory Memorandum to COM(2020)823 - Measures for a high common level of cybersecurity across the Union

Please note

This page contains a limited version of this dossier in the EU Monitor.



1. CONTEXTOFTHE PROPOSAL

Reasons for and objectives of the proposal

This proposal is part of a package of measures to improve further the resilience and incident response capacities of public and private entities, competent authorities and the Union as a whole in the field of cybersecurity and critical infrastructure protection. It is in line with the Commission’s priorities to make Europe fit for the digital age and to build a future-ready economy that works for the people. Cybersecurity is a priority in the Commission’s response to the COVID-19 crisis. The package includes a new Strategy on Cybersecurity with the aim of strengthening the Union’s strategic autonomy to improve its resilience and collective response and to build an open and global internet. Finally, the package contains a proposal for a directive on the resilience of critical operators of essential services, which aims to mitigate physical threats against such operators.

This proposal builds on and repeals Directive (EU) 2016/1148 on security of network and information systems (NIS Directive), which is the first piece of EU-wide legislation on cybersecurity and provides legal measures to boost the overall level of cybersecurity in the Union. The NIS Directive has (1) contributed to improving cybersecurity capabilities at national level by requiring Member States to adopt national cybersecurity strategies and to appoint cybersecurity authorities; i increased cooperation between Member States at Union level by setting up various fora facilitating the exchange of strategic and operational information; and (3) improved the cyber resilience of public and private entities in seven specific sectors (energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and distribution, and digital infrastructures) and across three digital services (online marketplaces, online search engines and cloud computing services) by requiring Member States to ensure that operators of essential services and digital service providers put in place cybersecurity requirements and report incidents.

The proposal modernises the existing legal framework taking account of the increased digitisation of the internal market in recent years and an evolving cybersecurity threat landscape. Both developments have been further amplified since the onset of the COVID-19 crisis. The proposal also addresses several weaknesses that prevented the NIS Directive from unlocking its full potential.

Notwithstanding its notable achievements, the NIS Directive, which paved the way for a significant change in mind-set, in relation to the institutional and regulatory approach to cybersecurity in many Member States, has also proven its limitations. The digital transformation of society (intensified by the COVID-19 crisis) has expanded the threat landscape and is bringing about new challenges which require adapted and innovative responses. The number of cyber -attacks continues to rise, with increasingly sophisticated attacks coming from a wide range of sources inside and outside the EU.

The evaluation on the functioning of the NIS Directive, conducted for the purposes of the Impact Assessment, identified the following issues: (1) the low level of cyber resilience of businesses operating in the EU; i the inconsistent resilience across Member States and sectors; and (3) the low level of joint situational awareness and lack of joint crisis response. For example, certain major hospitals in a Member State do not fall within the scope of the NIS Directive and hence are not required to implement the resulting security measures, while in another Member State almost every single healthcare provider in the country is covered by the NIS security requirements.

Being an initiative within the Regulatory Fitness Programme (REFIT), the proposal aims at reducing the regulatory burden for competent authorities and compliance costs for public and private entities. Most notably, this is achieved by abolishing the obligation of competent authorities to identify operators of essential services and by increasing the level of harmonisation of security and reporting requirements to facilitate regulatory compliance for entities providing cross-border services. At the same time, competent authorities will also be given a number of new tasks, including the supervision of entities in sectors so far not covered by the NIS Directive.

Consistency with existing policy provisions in the policy area

This proposal is part of a wider set of existing legal instruments and upcoming initiatives at Union level aimed at increasing the resilience of public and private entities against threats.

In the area of cybersecurity, these are notably Directive (EU) 2018/1972 establishing the European Electronic Communications Code (the cybersecurity-related provisions of which will be replaced by the provisions of the proposal at hand) and the proposal for a Regulation on digital operational resilience for the financial sector (COM(2020) 595 final), which will be considered as lex specialis to the proposal at hand once both acts have come into force.

In the area of physical security, the proposal complements the proposal for a Directive on the resilience of critical entities, which revises Directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (ECI Directive), which establishes a Union process for identifying and designating European critical infrastructures, and sets out an approach for improving their protection. In July 2020, the Commission adopted the EU Security Union Strategy1, which acknowledged the increasing interconnection and interdependency between physical and digital infrastructures. It underlined the need for a more coherent and consistent approach between the ECI Directive and the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union.

The proposal is therefore closely aligned with the proposal for a Directive on the resilience of critical entities, which aims at enhancing the resilience of critical entities against physical threats in a large number of sectors. The proposal aims to ensure that competent authorities under both legal acts take complementary measures and exchange information as necessary regarding cyber and non-cyber resilience, and that particularly critical operators in the sectors considered to be ‘essential’ per the proposal at hand are also subject to more general resilience-enhancing obligations with an emphasis on non-cyber risks.

Consistency with other Union policies

As set-out in the Communication ‘Shaping Europe’s digital future’2, it is crucial for Europe to reap all the benefits of the digital age and to strengthen its industry and innovation capacity, within safe and ethical boundaries. The European strategy for data sets out four pillars – data protection, fundamental rights, safety and cybersecurity – as essential pre-requisites for a society empowered by the use of data.

1 COM(2020)605 final.

2 COM(2020)67 final.

In a resolution from 12 March 2019, the European Parliament called “[…] on the Commission to assess the need to further enlarge the scope of the NIS Directive to other critical sectors and services that are not covered by sector-specific legislation”.3 The Council, in its conclusions from 9 June 2020, welcomed “[…] the Commission’s plans to ensure consistent rules for market operators and facilitate secure, robust and appropriate information-sharing on threats as well as incidents, including through a review of the Directive on security of network and information systems (NIS Directive), to pursue options for improved cyber resilience and more effective responses to cyber-attacks, particularly on essential economic and societal activities, whilst respecting Member States’ competences, including the responsibility for their national security.”4 Furthermore, the proposed legal act is without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union (TFEU).

Given that a significant part of the cybersecurity threats have their origin outside of the EU, a coherent approach to international cooperation is needed. This Directive shall constitute a reference model to be promoted in the context of the EU’s cooperation with third countries, notably when providing external technical assistance.

2. LEGALBASIS, SUBSIDIARITYAND PROPORTIONALITY

Legal basis

The legal basis for the NIS Directive is Article 114 of the Treaty on the Functioning of the European Union, whose objective is the establishment and functioning of the internal market by enhancing measures for the approximation of national rules. As held by the Court of Justice of the EU in its judgement in Case C-58/08 Vodafone and others, the resort to Article 114 TFEU is justified where there are differences between national rules which have a direct effect on the functioning of the internal market. Equally, the Court held that where an act based on Article 114 TFEU has already removed any obstacle to trade in the area that it harmonises, the Union legislature cannot be denied the possibility of adapting that act to any change in circumstances or development of knowledge having regard to its task of safeguarding the general interests recognised by the Treaty. Finally, the Court held that the measures for the approximation covered by article 114 TFEU are intended to allow a margin of discretion, depending on the general context and the specific circumstances of the matter to be harmonised, as to the method of approximation most appropriate to achieve the desired result. The proposed legal act would remove obstacles to, and improve the establishment and functioning of the internal market for essential and important entities by: establishing clear generally applicable rules on the scope of application of the NIS Directive, harmonising the rules applicable in the area of cybersecurity risk management and incident reporting. Current disparities in this area, both at legislative and supervisory levels, as well as national and EU levels, are obstacles to the internal market because entities that engage in cross-border activities face different, and possibly overlapping, regulatory requirements and/or their application, to the detriment of the exercise of their freedoms of establishment and of provision of services. Different rules also have a negative impact on the conditions of competition in the internal market when it comes to entities of the same type in different Member States.

3 www.europarl.europa.eu/doceo/document">https://www.europarl.europa.eu/doceo/document EN.html

4 https://data.consilium.europa.eu/doc/document/ST-8711-2020-INIT/en/pdf

Subsidiarity (for non-exclusive competence)

Cybersecurity resilience across the Union cannot be effective if approached in a disparate manner through national or regional silos. The NIS Directive partly addressed this shortcoming, by setting a framework for network and information systems security at national and Union levels. However, its transposition and implementation also brought to light inherent shortcomings and limits of certain provisions or approaches, such as the unclear delimitation of the scope of the directive leading to significant differences in the extent and depth of de facto EU intervention at Member State level. Furthermore, since the COVID-19 crisis, the European economy has grown even more dependent on network and information systems than ever before and sectors and services are increasingly interconnected. EU intervention going beyond the current measures of the NIS Directive is justified mainly by: (i) the increasingly cross-border nature of the NIS-related threats and challenges; (ii) the potential of Union’s action to improve and facilitate effective and coordinated national policies; and (iii) the contribution of concerted and collaborative policy actions to effective protection of data protection and privacy.

Proportionality

The rules proposed in this Directive do not go beyond what is necessary to meet the specific objectives satisfactorily. The envisaged alignment and streamlining of security measures and reporting obligations relate to Member States and businesses’ requests to improve the current framework.

The proposal takes account of the already existing practices in the Member States. An enhanced level of protection achieved through such streamlined and coordinated requirements is proportionate to the increasingly high risks faced including those presenting a cross-border element; they are reasonable and generally corresponding to the interest of the entities involved in ensuring continuity and quality of their services. The costs for ensuring systematic cooperation amongst Member States would be small as compared to the economic and societal losses and damages caused by cybersecurity incidents. Furthermore, the stakeholder consultations held in the context of the review of the NIS Directive, including the results of the Open Public Consultation and targeted surveys, show support for the revision of the NIS Directive along the above-mentioned lines.

Choice

of the instrument

The proposal will further streamline the obligations imposed on businesses and ensure a higher level of harmonisation thereof. At the same time, the proposal aims at providing Member States with the flexibility needed to take into account national specificities (such the possibility to identify additional essential or important entities going beyond the baseline set by the legal act). The future legal instrument should therefore be a Directive, as this legal instrument allows for targeted improved harmonisation as well as a certain degree of flexibility for competent authorities.


3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER

CONSULTATIONS AND IMPACT ASSESSMENTS

Ex-post evaluations/fitness checks of existing legislation

The Commission has carried out an evaluation of the functioning of the NIS Directive. It has analysed its relevance, EU added value, coherence, effectiveness and efficiency. The main findings of this analysis are:

The scope of the NIS Directive is too limited in terms of the sectors covered, mainly due to: (i) increased digitisation in recent years and a higher degree of interconnectedness, (ii) the scope of the NIS Directive no longer reflecting all digitised sectors providing key services to the economy and society as a whole.

The NIS Directive is not sufficiently clear when it comes to the scope for operators of essential services and its provisions do not provide sufficient clarity regarding national competence over digital service providers. This has led to a situation in which certain types of entities have not been identified in all Member States and are therefore not required to put in place security measures and report incidents.

The NIS Directive allowed wide discretion to the Member States when laying down security and incident reporting requirements for operators of essential services

(hereinafter called ‘OES(s)’). The evaluation shows that in some instances Member

States have implemented these requirements in significantly different ways, creating additional burden for companies operating in more than one Member State.

The supervision and enforcement regime of the NIS Directive is ineffective. For example, Member States have been very reluctant to apply penalties to entities failing to put in place security requirements or report incidents. This can have negative consequences for the cyber resilience of individual entities.

The financial and human resources set aside by Member States for fulfilling their tasks (such as OES identification or supervision), and consequently the different levels of maturity in dealing with cy bersec u rity risks, vary greatly. This further exacerbates the differences in cyber resilience between Member States.

Member States do not share information systematically with one another, with negative consequences in particular for the effectiveness of the cy b ersec u rity measures and for the level of joint situational awareness at EU level. This is also the case for information sharing among private entities, and for the engagement between the EU level cooperation structures and private entities.

Stakeholder consultations

The Commission has consulted a broad range of stakeholders. Member States and stakeholders were invited to participate in the Open Public Consultation and in the surveys and workshops organised by Wa vestone, C EPS a nd I CF , who the C omm iss ion has c ontra cted to carry out a study supporting the review of the NIS Directive. The consulted stakeholders included competent authorities, Union bodies dealing with cy bersec urity, operators of essential services, digital service providers, entities providing services outside the scope of the current NIS Directive, trade associations and consumer organisations and citizens.

[Annex 5 of the Impact Assessment]

5

In addition, the Commission has been in constant touch with the competent authorities in charge of implementing the NIS Directive. The Cooperation Group has extensively covered various cross-cutting and sectoral implementation aspects. Finally, during its NIS country visits in 2019 and 2020, the Commission has interviewed 154 public and private entities, as well as 117 competent authorities.

Collection

and use of expertise

The Commission has contracted a consortium of Wavestone, CEPS and ICF to support the Commission in the review of the NIS Directive. The contractor has not only reached out to the stakeholders directly affected by the NIS Directive through target surveys and workshops but has also consulted with a wide range of experts in the field of cy bersec u rity, such as cy bersecurity researchers and cy bersec urity industry professionals.

Im pact assessment

This proposal is accompanied by an impact assessment , which was submitted to the Regulatory Scrutiny Board (RSB) on 23 October 2020 and received a positive opinion with comments by the RSB on 20 November 2020. The RSB recommended improvements in some areas with a view to: (1) better reflect the role of cross-border spillovers in the problem analysis; i better explain what success would look like for the initiative; (3) further justif y the list of policy options; i further elaborate on the costs of the proposed measures. The impact assessment was adjusted to address these points, as well as more detailed comments from the RS B. It now includes more detailed explanations of the role of cross-border spillovers in the field of cy b erse c ur ity, a clearer overview of how success can be measured, a more detailed explanation of the design and logic behind the different policy options and actions considered within these options, a more detailed explanation of the aspects analysed in relation to the sectorial scope of the NIS Directive and further clarifications regarding costs.

The Commission considered a number of policy options for improving the legal framework in the area of cyber resilience and incident response:

“Do nothing”: The NIS Directive would remain unchanged and no other measures of

non-legislative nature would be taken to target the problems identified by the evaluation of the N I S Directi ve .

Option 1: There would be no changes at legislative level. Instead, the Commission would issue recommendations and guidelines (such as on the identification of operators of essential services, security requirements, incident notification procedures and supervision), upon consultation of the Cooperation Group, the EU Agency for Cy b ersec ur ity (ENISA) and, as applicable, the network of Computer security incident response tea ms (CS I R Ts).

Option 2: his option entails targeted amendments to the NIS Directive, including an extension of the scope and several other amendments that would aim at guaranteeing certain immediate solutions to the problems identified, providing more clarity and further h a rmonisation (such as provisions to harmonise identification thresholds).

Study to support the review of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) – N° 2020-665. Wavestone, CEPS and ICF.

[Links to final document and to the summary sheet to be added.]


6

The amended NIS Directive would however maintain the main building blocks, approach and rationale.

Option 3: This scenario entails systemic and structural changes to the NIS Directive (through a new directive) envisaging a more fundamental shift of approach towards covering a wider segment of the economies across the Union, yet with a more focused supervision targeting big and key players. It would also streamline the obligations imposed on businesses and ensure a higher level of ha r moni sati on thereof, create a more effective setting for operational aspects, as well as establish a clear basis for enhanced shared responsibilities and accountability of various stakeholders on cy b ersec urity measures.

The Impact Assessment concludes that the preferred option is option 3 (i.e. systemic and

1.

structural changes to the NIS framework). In terms of effectiveness, the preferred option


would clearly determine the scope of application of the NIS Directive, extended to a more representative fraction of EU economies and societies, and the streamlining of requirements, along with a more defined framework for supervision and enforcement that would aim at increasing the level of compliance. It also entails measures aimed at improving policy building approaches at Member States level and changing the paradigm thereof, promoting new frameworks for supplier relationships risk management and coordinated vulnerability

disclosure. At the same time, the preferred policy option establishes a clear basis for shared

responsibilities and accountability and envisages mechanisms aimed at fostering more trust among Member States, both authorities and industry, ince nti visi ng information sharing and ensuring a more operational approach, such as the mutual assistance and the peer-review mechanisms. This option would also provide for an EU crisis management framework, building on recently launched EU operational network, and would ensure more involvement of ENISA, within its current mandate, in holding an accurate overview of the cy b ersec urity state of the Union.

In terms of efficiency, while the preferred option would entail additional compliance and enforce ment costs for businesses and Member States, it would also lead to efficient trade-offs and synergies, with the best potential out of all policy options analysed to ensure an increased and consistent level of cyber resilience of key entities across the Union that would eventually lead to cost savings for both businesses and society. This policy option would lead to certain additional administrative burden and compliance costs for the Member States authorities. However, on balance, on the medium and long term it would also bring substantial benefits through increased cooperation among Member States, including at operational level, as well as incenti visi ng, through mutual assistance, peer-review mechanisms and better overview of and interaction with key businesses, an overall increase in cy be rsec u rity capabilities at national and regional level. The preferred policy option would also ensure to a great extent coherence with other legislation, initiatives or policy measures, including sector-specific lex specialis.

Addressing the currently persisting insufficiency of cy bersec u rity preparedness at a Member State level and at the level of companies and other organisations could result in efficiency gains and reduction of additional costs resulting from cy b erse c ur ity incidents.

For essential and important entities, increasing the level of cy bersec u rity preparedness could result in mitigating potential loss of revenue due to disruptions – including from industrial espionage – and could reduce the large expenses for an ad-hoc threat mitigation. Such gains are likely to outweigh the necessary investment costs. Reducing fragmentation in the internal market would also improve the level playing field among operators.

For Member States, it could further reduce the risk of growing budgetary expenses for ad-hoc threat mitigation and additional costs in case of emergencies related to cy bersecurity incidents.

For citizens, addressing cy b ersec u rity incidents it is expected to result in reduced loss of income due to economic disruption.

The increased levels of cy b e rsec u rity across the Member States and the ability of companies and authorities to respond quickly to an incident and mitigate its impact will most likely result in an increase of the overall trust of citizens in the digital economy, which might have a positive impact on growth and investment.

Increasing the overall level of cy b ersec urity is likely to lead to an increased overall security and smooth uninterrupted functioning of essential services, which are critical for the society. The initiative may also contribute to other social impacts such as reduced levels of cybercrime and terrorism and increased civil protection. Increasing the level of cyber preparedness for businesses and other organisations may avoid potential financial losses as a result of cyberattacks thus preventing the need to lay off employees.

Increasing the overall level of cy be rsec u rity could also lead to the prevention of environmental risks/damage in case of an attack on an essential service. This could be particularly valid for the energy, water supply and distribution or transport sectors. By strengthening the cy b ersec urity capabilities, the initiative could lead to more use being made of latest generation ICT infrastructures and services that are also environmentally more sustainable and to the replacement of inefficient and less secure legacy infrastructures. This is expected to contribute also to reducing the number of costly cyber incidents, freeing up resources available for sustainable investments.

Regulatory fitness and simplification

The proposal foresees a general exclusion of micro and small entities from the NIS scope and a lighter ex-post supervisory regime applied to a large number of the new entities under the revised scope (so-called important entities). These measures aim to minimise and balance the burden put on companies and public administrations. Furthermore, the proposal replaces the complex identification system for operators of essential services with a generally applicable obligation and introduces a higher level of ha rmonisation of security and reporting obligations, which would decrease compliance burden, especially for entities providing cross-border services.

The proposal minimizes compliance costs for SMEs, as entities are required to take only those measures necessary to ensure a level of security of network and information systems that is appropriate to the risk presented.

Fundamental rights

The EU is committed to ensuring high standards of protection of fundamental rights. All voluntary information sharing arrangements between entities that this Directive promotes would be conducted in trusted environments in full respect of Union data protection rules, notably Regulation (EU) 2016/679 of the European Pa rliame nt and of the C ounc il 8.

2.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of


8

4. BUDGETARYIMPLICATIONS

See financial fiche

5. OTHERELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

The proposal includes a general plan for monitoring and evaluating the impact on the specific objectives, requiring the Commission to carry out a review at least [54 months] after the date of entry into force, and to report to the European Parliament and the Council on its main findings.

The review is to be conducted in line with the Commission’s Better Regulation Guidelines.

Detailed explanation of the specific provisions of the proposal

The proposal is structured around several main policy areas, which are inter-related and serve the purpose of raising the level of cybersecurity in the Union.

3.

Subject matter and scope (Article 1 and Article 2)


The Directive, in particular: (a) lays down obligations for the Member States to adopt a national cybersecurity strategy, designate competent national authorities, single points of contact and CSIRTs; (b) provides that Member States shall lay down cybersecurity risk management and reporting obligations for entities referred to as essential entities in Annex I and important entities in Annex II; (c) provides that Member States shall lay down obligations on cybersecurity information sharing.

It applies to certain public or private essential entities operating in the sectors listed in Annex I (energy; transport; banking; financial market infrastructures; health, drinking water; waste water; digital infrastructure; public administration and space) and certain important entities operating in the sectors listed in Annex II (postal and courier services; waste management; manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing and digital providers). Micro and small entities within the meaning of Commission Recommendation 2003/361/EC of 6 May 2003 are excluded from the scope of the Directive, except for providers of electronic communications networks or of publicly available electronic communications services, trust service providers, Top-level domain name (TLD) name registries and public administration, and certain other entities, such as the sole provider of a service in a Member State.

4.

National cybersecurity frameworks (Articles 5 to 11)


Member States are required to adopt a national cybersecurity strategy defining the strategic objectives and appropriate policy and regulatory measures with a view to achieving and maintaining a high level of cybersecurity.

The Directive also establishes a framework for Coordinated Vulnerability Disclosure and requires Member States to designate CSIRTs to act as trusted intermediaries and facilitate the interaction between the reporting entities and the manufacturers or providers of ICT products

such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p.

1).

and ICT services. ENISA is required to develop and maintain a European vulnerability registry for the discovered vulnerabilities.

Member States are required to put in place National Cybersecurity Crisis Management Frameworks, inter alia by designating national competent authorities responsible for the management of large-scale cybersecurity incidents and crises.

Member States are also required to designate one or more national competent authorities on cybersecurity for the supervisory tasks under this Directive and a national single point of contact on cybersecurity (SPOC) to exercise a liaison function to ensure cross-border cooperation of Member State authorities. Member States are also required to designate CSIRTs.

5.

Cooperation (Articles 12 to 16)


The Directive establishes a Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence. It also establishes a CSIRTs network to contribute to the development of confidence and trust between the Member States and to promote swift and effective operational cooperation.

A European Cyber Crises Liaison Organisation Network (EU - CyCLONe) is established to support the coordinated management of large-scale cybersecurity incidents and crises and to ensure the regular exchange of information among Member States and EU institutions.

ENISA is required to issue in cooperation with the Commission a biennial report on the state of cybersecurity in the Union.

The Commission is required to establish a peer-review system allowing regular peer-reviews of the Member States’ effectiveness of cybersecurity policies.

6.

Cybersecurity risk management and reporting obligations (Articles 17 to 23)


The Directive requires Member States to provide that management bodies of all entities under the scope to approve the cybersecurity risk management measures taken by the respective entities and to follow specific cybersecurity-related training.

Member States are required to ensure that entities under the scope take appropriate and proportionate technical and organisational measures to manage the cybersecurity risks posed to the security of network and information systems. They are also required to ensure that entities notify the national competent authorities or the CSIRTs of any cybersecurity incident having a significant impact on the provision of the service they provide.

TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain accurate and complete domain name registration data. Furthermore, such entities are required to provide efficient access to domain registration data for legitimate access seekers.

7.

Jurisdiction and Registration (Articles 24 and 25)


As a rule, essential and important entities are deemed to be under the jurisdiction of the Member State where they provide their services. However, certain types of entities (DNS service providers, TLD name registries, cloud computing service providers, data centre

service providers and content delivery network providers, as well as certain digital providers) are deemed to be under the jurisdiction of the Member State in which they have their main establishment in the Union. This is to ensure that such entities do not face a multitude of different legal requirements, as they provide services across borders to a particularly high extent. ENISA is required to create and maintain a registry of the later type of entities.

8.

Information sharing (Articles 26 and 27)


Member States shall provide rules enabling entities to engage in cybersecurity-related information sharing within the framework of specific cybersecurity information-sharing arrangements, in compliance with Article 101 TFEU. In addition, Member States shall allow entities outside the scope of this Directive to report, on a voluntary basis, significant incidents, cyber threats or near misses.

9.

Supervision and enforcement (Articles 28 to 34)


Competent authorities are required to supervise the entities under the scope of the Directive, and in particular to ensure their compliance with the security and incident notification requirements. It distinguishes between an ex ante supervisory regime for essential entities and an ex post supervisory regime for important entities, the later requiring competent authorities to take action when provided with evidence or indication that an important entity does not meet the security and incident notification requirements.

The Directive also requires Members States to impose administrative fines to essential and important entities and defines certain maximum fines.

Member States are required to cooperate and assist each other as necessary when entities provide services in more than one Member State or when an entity’s main establishment or its representative is located in a certain Member State but its network and information systems are located in one or more other Member States.