EU NIS2 and RCE
The EU directives NIS2 and RCE define the EU framework for critical infrastructure protection on an European level. Both directives are under negotiation between EU agencies, with public drafts from 2020 still under discussion and a first agreement on NIS2 between comission and parliament being reached in May 2022.
NIS, Directive on Security of Network and Information Systems, regulates cybersecurity, with the new NIS2 extending the scope and requirements for operators. RCE prescribes resilience and continuity measures at operators and will supersede ECI, European Critical Infrastructures directive soon. Both NIS2 and RCE need to be transposed into national law after eventual EU agrement.
Changes in cyber security for EU operators with updated EU NIS2
English ∙ PDF ∙ November 2021 ∙ OpenKRITIS-Briefing
New resilience requirements for EU operators with EU RCE
English ∙ PDF ∙ November 2021 ∙ OpenKRITIS-Briefing
Sectors in the EU
NIS2 and RCE critical sectors
EU NIS2 identifies individual operators according to business size (2003/361/EC), RCE prescribes national identification of operators. Both NIS2 and RCE regulate critical operators in harmonized EU sectors: NIS2 defines two groups of essential and important services, RCE one group of critical entities. German critical sectors are displayed for reference.
|Identified by size
of the operators
by member states
|Essential Services||Critical Entities||KRITIS|
|Transport||Transport||Transport and traffic|
|Financial market infrastructure||Financial market infrastructure||Financial services|
|Drinking water||Drinking water||Water|
|Waste water||Waste water||Water|
|Digital infrastructure||Digital infrastructure||IT and telco|
|Space||Space||partially in Transport|
|Public administration||Public administration||-|
|Postal and courier services||partially Transport|
EU NIS2 directive
Cybersecurity in NIS2
NIS2 is the cyber security rulebook for EU operators. Companies that provide essential services and infrastructure in the EU will be regulated for cyber security and supervised.
EU NIS2 regulates sixteen sectors of operators (Entities) in the EU:
- Essential Entities: Ten critical sectors
- Important Entities: Six important sectors
NIS2 uses uniform criteria (2003/361/EC) to identify operators based on business size to harmonize diverging thresholds throughout the EU. In scope:
- Medium enterprises: 50-250 employees, 10m-50m EUR turnover, up to 43m EUR balance
- Large enterprises: › 250 employees, › 50m EUR turnover, › 43m EUR balance
There are exceptions that are not in scope of NIS2:
- Micro enterprises: ‹ 9 employees and ‹ 2m EUR turnover/balance
- Small enterprises: ‹ 49 employees and ‹ 10m EUR turnover/balance
- Digital infrastructure as part of A is in scope irrespective of size
- Special cases in A and B might be in scope irrespective of size in case of national monopolies, special importance, cross-border dependencies etc.
Operators of digital services and infrastructures need to register with the ENISA, which informs relevant national authorities.
EU operators in NIS2 scope are required to implement security measures to protect the IT and networks of their essential and important services:
- Policies: Normative on risk management and information security
- Incident management: Prevention, detection and response to cyber incidents
- Continuity: BCM and crisis management
- Supply chain: Security with suppliers and development
- Test and audit: Effectivity of information security
- Cryptography: Usage of strong encryption
International and European standards should be encouraged in implementing cybersecurity measures; member states can also prescribe EU cybersecurity certifications.
Operators need to notify their national cybersecurity authority immediately of incidents, outages and threats with significant impact on their services. Member states should support the exchange of information between operators with platforms, rules and technologies.
EU RCE directive
Resilience in RCE
RCE is the resilience baseline for EU operators. Companies that provide critical services in the EU will be regulated for resilience and risk and supervised.
Affected operators are to be identified and registered by national authorities based on national risk and disruptive effect of single operators failing. The list of operators should be reported to the EU.
Critical operators need to identify and analyze availability risks (continuity) six months after their identification. This risk analyses should include dependencies to other operators, sectors and states and be repeated every four years. To protect their critical services, operators need to implement controls for resilience, with EU RCE prescribing a set of minimal measures.
- Prevention: Measures to protect against disasters and climate change
- Physical security: Protection of sensitive zones of the critical service through perimeters, detection and access control.
- Crises: Risk and crisis management with procedures, protocols and alarming.
- Recovery: Business Continuity Management (BCM) and measures to recover after incidents to include alternate supply chains.
- Staff: Security management for sensitive and protected areas of critical services.
- Awareness: Measures to raise staff awareness for resilience measures.
All measures and controls should be documented in a single, coherent Resilience Plan. The EU commission might define more detailed resilience requirements and can send advisory missions to national operators on member states request.
Member states should allow critical operators to conduct background checks of personnel in sensitive areas — to include security clearances in special cases through security agencies.
Operators need to report significant disruptions and incidents in their critical services to their national authorities.
Both EU NIS2 and RCE define broad oversight requirements and national authorities to govern critical operators in member states.
- Competent authority for cybersecurity and oversight of NIS2 regulation
- Crisis management for national management of large-scale incidents and crises
- National cooperation between cybersecurity authorities, CSIRT and SPOCs
- Competent authority for resilience and oversight of RCE regulation to closely collaborate with the NIS2 authority
Member states need to implement a national cybersecurity strategy (NCSS) as part of their cybersecurity legislation for NIS2 and within three years a national strategy for the resilience of critical operators for RCE.
EU NIS2 defines extensive national oversight and governance for Important operators to be implemented by member states, with slightly milder oversight for Essential and RCE Critical operators.
- Evidences and audits: Authorites should receive evidences and be authorized to test, audit and inspect operators.
- Instructions: Authorities should issue binding instructions in case of non-compliance, warn the public and install oversight officers at operators.
- Authorizations: In case of continuing non-compliance authorities should define deadlines for operators and retract their authoritization of certification of operations.
- Sanctions: Authorities should be allowed to sanction operators in case of non-compliance, with management of operators be held personally liable in case of breaches.
Member states need to analyse the risks of disruptive effects in critical sectors and services. Based on this analysis, critical operators will need to be identified and registered three years after RCE coming into force and reported at least every four years to the EU commission.
Incidents and reporting
Member states should set up national CSIRTs to handle cybersecurity incidents in critical sectors. CSIRTs should also monitor national threats and incidents, provide foresight and warning for cyberrisks, pro-actively scan networks and collaborate with the EU, the CSIRT network and operators.
Domains and databases
Operations of TLD domain registries will be more heavily regulated to include collection and publication of domain registration data. Vulnerabilities shall be published in the EU in a coordinated process, with member states taking part through their national CSIRT. ENISA will implement a vulnerability register for these use cases.
The EU Cooperation Group (CG) governs cybersecurity cooperation in the EU and between member states on best practices, methods and information exchange. Large-scale incidents and crises in the EU should be managed with the help of the European Cyber Crises Liaison Organisation Network EU-CyCLONe to include preparations and awareness.
For resilience, the Critical Entities Resilience Group will set up to enable cooperation between member states and commission,
ENISA should prepare a report on the State of Cybersecurity in the EU every two years — on capabilities, resources and a cybersecurity index. The effectiveness of national cybersecurity strategies should be examined through Peer Reviews between EU member states. Review methods and criteria are to be defined between commission and ENISA:
- Cybersecurity capabilities and resources of national authorities
- Implementation of reporting and risk management requirements
- CSIRT capabilities and effectiveness
- Information exchange and bilateral support
The Cooperation Group can review Supply chain security for IT services and systems together with ENISA and the commission, which selects services and products for review.
National CSIRTs exchange information on incidents, crises and capabilities in the EU CSIRT network — which is also used during cross-border incidents. If multiple member states are affected during incidents, national CSIRTs and authorities should inform the respective states and the public.
Jurisdiction and risks
EU NIS2 defines more concrete jurisdiction for digital service providers in the EU:
- Digital infrastructures and services such as DNS/TLD, cloud, data centers, SDN and DSP are under the jurisdiction of the EU member state of their headquarters.
- Headquarters is defined as the place where cyberrisk measures are executed. If HQ is located outside of the EU, the member state with the majority of employees is central.
- If a service provider has no offices in the EU but provides services in it, the provider has to designate officers in the EU.
For providers active in multiple member states, national authorities should closely collaborate. Cross-sector and cross-country resilience risks should be analyzed by the commission and authorities and operators supported in developing methods.
Designated Operators with special european relevance that supply at least a third of EU member states with critical services. These operators have to be identified in the EU and specially surveilled and protected.
The requirements from EU NIS2 and RCE need to still be formally accepted in the EU and then transposed into national law.
The last drafts from both NIS2 and RCE are from December 2020, for NIS2 there is a compromise draft from EU parliament, that still has been agreed on in May 2022. Eighteen months after entry into force of the EU directives, member states need to transpose them with own legislation into national law.
The NIS directive from 2016 has been integrated into national legislation in EU member states, in Germany through the IT-Sicherheitsgesetz and Gesetz zur Umsetzung der NIS-Richtlinie from 2017.
Some of the upcoming requirements from especially NIS2 have already been adapted, at least partially, in national law as well. The new German IT-Sicherheitsgesetz 2.0 from 2021 defines several requirements that match NIS2, including new sectors, cybersecurity measures and stronger sanctions. Some legislative works still needs to be done though.
National strategies should be reviewed and adapted by member states regularly.
NIS2 and RCE will be reviewed 4½ years after entry into force by the commission,
- DIGITALEUROPE’s position on the NIS 2 Directive, DIGITALEUROPE, 19 Mar 2021
- Proposal for directive on measures for high common level of cybersecurity across the Union, European Commission website, 8.3.2021
- Blue OLEx 2020: the European Union Member States launch the Cyber Crisis Liaison Organisation Network (CyCLONe), ENISA Press Release, 29.9.2020
- EN German IT security act 2.0 – IT-Sicherheitsgesetz 2.0, English, PDF
- Impact Assessment – Proposal for a Directive on the resilience of critical entities, European Parliament and Council, SWD(2020) 358 final, 16.12.2020
- Commission welcomes political agreement on new rules on cybersecurity of network and information systems, European Comission press release 13 May 2022
- Proposed directive on measures for a high common level of cybersecurity across the Union, 2020/0359 (COD), 16.12.2020
- Annex to the Proposed directive on measures for a high common level of cybersecurity across the Union, COM(2020) 823 final, 16.12.2020
- Commission proposal for a Directive on the resilience of critical entities, COM(2020) 829 final, 16.12.2020
- Annex 1 of the Directive on the resilience of critical entities, COM(2020) 829 final ANNEX, 16.12.2020
- Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (EU NIS directive), 19.7.2016