The Review Of The Nis Directive - What To Expect

• Published date: 05 January 2021
• Subject Matter: Corporate/Commercial Law, Technology, Shareholders, Security
• Law Firm: Maravela, Popescu & Asociatii
• Author: Ms Cristina Crețu and Laura M. Dinu

1. Introduction

Though not more than two years have passed since the Directive on security of network and information systems¹ ("NIS Directive") had to be transposed by the Member States into their national legislation, the European Commission (the "Commission") has announced, early this year, its intention to review the NIS Directive. The initiative comes earlier than planned, due to the fact that there is a dire need to "further strengthen overall cybersecurity in the Union".

In order to prepare the review, the Commission already took several steps in this direction, namely:

1. drafted and published a report that assessed the consistency of Member States' approaches in the identification of operators of essential services;
2. published a combined evaluation roadmap/inception impact assessment
3. organized a public consultation that was opened for 12 weeks in order to gather views on the implementation and the impact of the envisioned changes to the NIS Directive;
4. organized several workshops to discuss the impact of the envisioned changes. Following the steps mentioned above, the Commission will adopt in the last quarter of 2020 the review of the NIS Directive.

2. Targeted changes

The consultation period offered the opportunity to more than one hundred stakeholders to provide feedback on the implementation and functioning of the NIS Directive. Based on the collected feedback, the Commission was able to identity several issues related to the implementation of the same and to pursue some potential changes, such as:

1. transforming the NIS Directive into a regulation, due to fact that the wide margin of discretion granted to Member States in implementing the NIS Directive might undermine the level playing field for some operators and lead to further fragmentation of the single market. However, according to the public information on the review of the NIS Directive², the review will take the form of a Directive;
2. enlarging the scope of the NIS Directive, as several additional sectors and subsectors have been identified as essential by the Member States when implementing the same;
3. clarifying the definitions of both operators of essential services ("OESs") and digital services providers ("DSPs"), since this will provide for the correct identification of the same by the Member States;
4. placing on equal foot the OESs and DSPs³;
5. defining security objectives and planning for each sector with the involvement of the private sector, in order to bring under a common denominator the...