Revision of the NIS directive: an opportunity to strengthen the cybersecurity level in the EU


The European commission is about to review the NIS directive, adopted in July 2016, by the end of the year.

A VERY POSITIVE IMPLEMENTATION ASSESSMENT

A legislation to reinforce capacities within the EU

The national transpositions have enabled the EU Member States to adopt a set of measures to raise the level of digital security on their respective territories, leading to undeniable progresses in terms of cybersecurity level for the EU as a whole. At national level, the transposition of the NIS directive has been a lever to extend consistently the pre-existing regulatory framework to improve the maturity of the actors that are essential to the functioning of the economy and of the society.

A privileged tool to boost the development of a trusted ecosystem

The directive, in line with its initial objectives, has been an efficient driver to increase the level of cybersecurity of the actors that are essential to the functioning of the economy and of the society in the Member states of the EU.

Voluntary cooperation between the Member States, a demonstrated virtuous circle

Materialized through the NIS cooperation group and the network of Computer Security Incident Response Teams (CSIRTs), the set-up of these bodies has played a key role to create the conditions for the Member states to exchange in confidence and contribute to the appropriate cyber-related EU policy developments.

WHILE THE CYBER THREAT LANDSCAPE IS CHANGING, LEGISLATIVE EVOLUTIONS ARE REQUIRED

An evolution, not a revolution

Improving some aspects of the directive, through further harmonization measures in order to ensure an adequate level of security in a context where cyber threats are growing: this is our ambition. Consistency shall be a key word of this approach.

A consistent approach has to underpin this revision

While several EU cyber-related sectorial legislations are about to be negotiated. In this context, it is primordial to keep NIS as the legislative framework of reference in the cybersecurity area, based on minimal harmonization measures and with a crossectorial dimension.

Reinforcing digital risk management and governance to enhance the maturity of the OESs

Digitalization of our societies and economies has been booming since 2016 and digital security, beyond its technical dimension, has turned into a real economic and strategic issue for companies. Considering these evolutions, the revision of the NIS directive is an opportunity to emphasize more precisely the necessity for the operators of essential services (OESs) to set-up appropriate governance and digital risk management processes, reporting to the top management of the organization.

Taking fully into account the digital ecosystem to guarantee further security of the digital supply chain

Amongst the new cyber threats, the multiplication of supply chain attacks, targeting the overall ecosystem of the OESs (subcontractors, providers, partners…), is a major evolution. As a consequence, it is essential to bring evolutions to the NIS directive, so that it contributes to secure the digital ecosystem around the OESs.

Improving cross border cooperation, a matter of increased trust between the Member states and of increased consistency of the internal market

It is important to assess how to make national approaches more convergent to improve the already existing mechanisms concerning OES identification and incident response. Capitalizing upon the launch of the CyCLONE network at the occasion of Blue Olex 2020, integrating cyber crisis management and cooperation in the perimeter of NIS shall be a decisive progress to strengthen the cyber resilience of the EU and of the Member states.

This revision process will be efficient and, this is an ANSSI wish, as quickly conclusive as possible, by envisaging these changes in a pragmatic and concrete way.