EU NIS 2 and RCE

The EU directives NIS2 and RCE define the EU framework for European critical infrastructure protection. Both NIS 2 (EU 2022/2555) and RCE (EU 2022/2557) were enacted at the end of 2022 in the EU and need to be transposed into national law in member states until 2024. Many new operators and obligations will arise.

  1. Sectors
  2. EU NIS2
  3. EU RCE
  4. States
  5. Europe
  6. Roadmap
  7. in German

NIS, the Directive on Security of Network and Information Systems, regulates cyber security in the EU, with NIS2 extending the scope and requirements for operators. RCE prescribes resilience and continuity measures at operators and will supersede ECI, the European Critical Infrastructures directive soon.

EU NIS2 Webinar

EU NIS2 Implementation in EU Member States

Discussion on national NIS2 implementation in: DE, BE, CZ, FI, HR
Webinar ∙ Registrierung über LinkedIn ∙ 27. February 2024 9:30

EN EU NIS2 and RCE: Security and Resilience in Infrastructures

Fact sheet: Requirements and operators in NIS2 and RCE
English ∙ PDF ∙ March 2023 ∙ OpenKRITIS-Briefing

This is the English version of EU NIS2 and RCE articles on EU critical infrastructure regulation.

Sectors in the EU

NIS 2 and RCE critical sectors

EU NIS 2 identifies individual operators according to business size (2003/361/EC), RCE prescribes national identification of operators. Both NIS 2 and RCE regulate critical operators in harmonized EU sectors: NIS2 defines two groups of essential and important services, RCE one group of critical entities. German NIS2 sectors are displayed for reference.

OpenKRITIS analysis EU NIS2 und RCE sectors
* - in NIS 2 partially independent of size
✝ - excluded from some RCE requirements and oversight
NIS2 RCE German
Identified by size
of the entities
Operators designated
by member states
Identified by size
of the entities NIS2
Annex I Critical Entities Anlage 1
Energy Energy Energy
Transport Transport Transport
Banks Banks✝ Finance/Insurance
Financial markets Financial markets✝ Finance/Insurance
Health Health Health
Drinking water Drinking water Water
Waste water Waste water Water
Digital infrastructure* Digital infrastructure✝ IT and telco
ICT service management - IT and telco
Public administration* Public administration Federal entities
Space Space Space
- Food Food
Annex II - Anlage 2
Postal and courier services Postal and courier services
Waste management Waste
Chemicals Chemicals
Food Food
Manufacturing Manufacturing
Digital services Digital services
Research Research

up

EU NIS2 directive

Cybersecurity in NIS2

NIS2 is the cyber security rulebook for EU operators. Companies that provide essential services and infrastructure in the EU will be regulated for cyber security and supervised.

Operators

EU NIS2 regulates sixteen sectors of operators (Entities) in the EU:

  1. Essential Entities: Large enterprises from 11 Annex I sectors
  2. Important Entities: Medium enterprises from all 18 Annex I and Annex II sectors as well as large enterprises from Annex II

NIS2 uses uniform criteria (2003/361/EC) to identify operators based on business size to harmonize diverging thresholds throughout the EU. In scope of NIS2 are:

  1. Medium enterprises: 50-249 employees, 10m-50m EUR turnover, 10m-43m EUR balance
  2. Large enterprises: ≥250 employees, ≥50m EUR turnover, ≥43m EUR balance

Exceptions to this rule:

Not in scope of NIS2:

Operators of digital services and infrastructures need to register with the ENISA, which informs relevant national authorities.

Cybersecurity measures

EU operators in NIS2 scope are required to implement security measures to protect the IT and networks of their essential and important services:

International and European standards should be encouraged in implementing cybersecurity measures; member states can also prescribe EU cybersecurity certifications.

Notifications

Operators need to notify their national cybersecurity authority immediately of incidents, outages and threats with significant impact on their services. Member states should support the exchange of information between operators with platforms, rules and technologies.

up

EU RCE directive

Resilience in RCE

RCE is the resilience baseline for EU operators. Companies that provide critical services in the EU will be regulated for resilience and risk and supervised.

Operators

Affected operators are to be identified and registered by national authorities based on national risk and disruptive effect of single operators failing. The list of operators should be reported to the EU.

Availability risks

Critical operators need to identify and analyze availability risks (continuity) six months after their identification. This risk analyses should include dependencies to other operators, sectors and states and be repeated every four years. To protect their critical services, operators need to implement controls for resilience, with EU RCE prescribing a set of minimal measures.

All measures and controls should be documented in a single, coherent Resilience Plan. The EU commission might define more detailed resilience requirements and can send advisory missions to national operators on member states request.

Background Checks

Member states should allow critical operators to conduct background checks of personnel in sensitive areas — to include security clearances in special cases through security agencies.

Notifications

Operators need to report significant disruptions and incidents in their critical services to their national authorities.

up

National oversight

Member states

Both EU NIS2 and RCE define broad oversight requirements and national authorities to govern critical operators in member states.

Member states need to implement a national cybersecurity strategy (NCSS) as part of their cybersecurity legislation for NIS2 and within three years a national strategy for the resilience of critical operators for RCE.

Governance

EU NIS2 defines extensive national oversight and governance for Important operators to be implemented by member states, with slightly milder oversight for Essential and RCE Critical operators.

Resilience risks

Member states need to analyse the risks of disruptive effects in critical sectors and services. Based on this analysis, critical operators will need to be identified and registered three years after RCE coming into force and reported at least every four years to the EU commission.

Incidents and reporting

Member states should set up national CSIRTs to handle cybersecurity incidents in critical sectors. CSIRTs should also monitor national threats and incidents, provide foresight and warning for cyberrisks, pro-actively scan networks and collaborate with the EU, the CSIRT network and operators.

Domains and databases

Operations of TLD domain registries will be more heavily regulated to include collection and publication of domain registration data. Vulnerabilities shall be published in the EU in a coordinated process, with member states taking part through their national CSIRT. ENISA will implement a vulnerability register for these use cases.

up

EU cooperation

European union

The EU Cooperation Group (CG) governs cybersecurity cooperation in the EU and between member states on best practices, methods and information exchange. Large-scale incidents and crises in the EU should be managed with the help of the European Cyber Crises Liaison Organisation Network EU-CyCLONe to include preparations and awareness.

For resilience, the Critical Entities Resilience Group will set up to enable cooperation between member states and commission,

Cybersecurity

ENISA should prepare a report on the State of Cybersecurity in the EU every two years — on capabilities, resources and a cybersecurity index. The effectiveness of national cyber­security strategies should be examined through Peer Reviews between EU member states. Review methods and criteria are to be defined between commission and ENISA:

The Cooperation Group can review Supply chain security for IT services and systems together with ENISA and the commission, which selects services and products for review.

Information exchange

National CSIRTs exchange information on incidents, crises and capabilities in the EU CSIRT network — which is also used during cross-border incidents. If multiple member states are affected during incidents, national CSIRTs and authorities should inform the respective states and the public.

Jurisdiction and risks

EU NIS2 defines more concrete jurisdiction for digital service providers in the EU:

For providers active in multiple member states, national authorities should closely collaborate. Cross-sector and cross-country resilience risks should be analyzed by the commission and authorities and operators supported in developing methods.

Special operators

Designated Operators with special european relevance that supply at least a third of EU member states with critical services. These operators have to be identified in the EU and specially surveilled and protected.

up

Roadmap

Legislation

The requirements from EU NIS2 and RCE have been formally accepted in the EU and then need to be transposed into national law. Both NIS 2 and RCE we agreed in Parliament, with NIS 2 also having been adopted in the Council. Transposition into national law has a 21 month grace period – until October 2024.

EU

Both directives have been published in the Official Journal of the EU as directives EU 2022/2555 (NIS 2) and EU 2022/2557 (RCE). The last drafts from both NIS2 and RCE were from December 2020, a compromise draft from the EU parliament and commission has been agreed on in May 2022 and passed the EP and Council in November 2022.

Twenty-one months after entry into force of the EU directives, member states need to transpose them with own legislation into national law – until October 2024.

Member states

The NIS directive from 2016 has been integrated into national legislation in EU member states, in Germany through the IT-Sicherheitsgesetz and Gesetz zur Umsetzung der NIS-Richtlinie from 2017.

Some of the upcoming requirements from especially NIS2 have already been adapted, at least partially, in national law as well. The new German IT-Sicherheitsgesetz 2.0 from 2021 defines several requirements that match NIS2, including new sectors, cybersecurity measures and stronger sanctions. Some legislative works still needs to be done though.

National strategies should be reviewed and adapted by member states regularly.

Review

NIS2 and RCE will be reviewed 4½ years after entry into force by the commission,

Time frame

Roadmap NIS und NIS 2 directives, November 2022
from: EU PE 689.333.
Version Status Date Actor
NIS Deadline national implementation May 2018 Member states
NIS EU-wide national implementation 2020 Member states
NIS Evaluation/review Jun 2020 Commission
NIS Open public consultation 7-10/2020 Commission
NIS 2 Impact Assessment (IA) Oct 2020 Commission
NIS 2 Feedback from IA Nov 2020 Regulatory Scrutiny Board
NIS 2 Draft (proposal) Dec 2020 Commission
RCE Draft (proposal) Dec 2020 Commission
NIS 2 Opinion on Draft Apr 2021 EESC
NIS 2 Deadline national feedback Mar 2021 National parliaments
NIS 2 Compromise draft NIS 2 Oct 2021 EU Parliament
NIS 2 Agreement NIS 2 May 2022 EU Parliament + Commission
NIS 2 Agreement NIS 2 Nov 2022 EU Parliament
RCE Agreement RCE Nov 2022 EU Parliament
NIS 2 Adoption NIS 2 Nov 2022 EU Council
NIS 2 National implementation Oct 2024 Member states

up

References

Further reading

  1. DIGITALEUROPE’s position on the NIS 2 Directive, DIGITALEUROPE, 19 Mar 2021
  2. Proposal for directive on measures for high common level of cybersecurity across the Union, European Commission website, 8.3.2021
  3. Blue OLEx 2020: the European Union Member States launch the Cyber Crisis Liaison Organisation Network (CyCLONe), ENISA Press Release, 29.9.2020
  4. Impact Assessment – Proposal for a Directive on the resilience of critical entities, European Parliament and Council, SWD(2020) 358 final, 16.12.2020

Sources

  1. EU decides to strengthen cybersecurity and resilience across the Union: Council adopts new legislation , Council of the EU, Press release ,28 November 2022
  2. European Parliament legislative resolution of 22 November 2022 on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities, COM(2020)0829 – C9-0421/2020 – 2020/0365(COD), 22.11.2022
  3. EU erzielt Einigung über neue Vorschriften für die Cyber­sicherheit kritischer Einrichtungen und Netze, Vertretung der EU in Deutschland, Pressemitteilung 13. Mai 2022
  4. European Parliament legislative resolution of 10 November 2022 on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union repealing Directive (EU) 2016/1148 (COM(2020)0823 – C9-0422/2020 – 2020/0359(COD)), 10.11.2022 EU-Parlament
  5. COMPROMISE AMENDMENT 1 for NIS 2 Directive, CA 1 for (2020)0823 - 2020/0359 (COD), Oktober 2021
  6. Commission welcomes political agreement on new rules on cybersecurity of network and information systems, European Comission press release 13 May 2022
  7. Proposed directive on measures for a high common level of cybersecurity across the Union, 2020/0359 (COD), 16.12.2020
  8. Annex to the Proposed directive on measures for a high common level of cybersecurity across the Union, COM(2020) 823 final, 16.12.2020
  9. Commission proposal for a Directive on the resilience of critical entities, COM(2020) 829 final, 16.12.2020
  10. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the resilience of critical entities (PDF), COM(2020) 829 final, 16.12.2020
  11. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (EU NIS directive), 19.7.2016