EU: Proposal for a directive to revise the Cybersecurity Act.

 

The EU Commission has extended the feedback period for a proposal for a directive to revise the Cybersecurity Act, clarify the mandate of the EU Agency for Cybersecurity (ENISA) and improve the European Cybersecurity Certification Framework to achieve better resilience.

This proposal forms part of a broader package of measures aimed at aligning the Union’s cybersecurity framework with the evolving needs of stakeholders in the context of an increasingly sophisticated cyber-threat environment and a complex geopolitical landscape. Essential and important entities operating in critical sectors are facing a growing number of cyberattacks, while state-sponsored threat actors are increasingly exploiting emerging technologies, such as artificial intelligence, to scale and enhance the effectiveness of their operations. In this context, the resilience of critical infrastructure against cyber threats is recognised as a strategic cornerstone for the protection of democratic systems and the economic security of the Union. Cybersecurity has accordingly been placed at the centre of the Union’s resilience agenda under both the European Preparedness Union Strategy and the European Internal Security Strategy (ProtectEU). Similarly, the Communication on Strengthening EU Economic Security identifies the prevention of unauthorised access to sensitive information and data, as well as the prevention and mitigation of disruptions to critical infrastructure affecting the Union’s economy, as key priorities in which robust cybersecurity measures play an essential role. The Draghi Report further underlined the need to strengthen security and reduce strategic dependencies as a core area for action at Union level. In addition, in its Communication on a Simpler and Faster Europe, the Commission reaffirmed its commitment to an ambitious programme of forward-looking and innovative policies aimed at enhancing the Union’s competitiveness, reducing regulatory burdens for individuals, businesses and administrations, and upholding the Union’s fundamental values.

Against this background, the present proposal for a Directive amending Directive (EU) 2022/2555 seeks to introduce simplification measures and to ensure alignment with the proposed Regulation on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework and ICT supply-chain security (Cybersecurity Act 2), which repeals Regulation (EU) 2019/881. The proposal addresses the complexity and fragmentation of cybersecurity-related policies affecting the Union’s overall cyber posture by introducing clarifications and facilitating compliance for regulated entities.

The objectives of this Directive should be understood within the broader context of the Cybersecurity Act revision package, which includes the proposed Regulation on ENISA, the European cybersecurity certification framework and ICT supply-chain security. That Regulation aims to address: (i) the misalignment between the Union’s cybersecurity policy framework and stakeholders’ needs in an increasingly hostile threat environment; (ii) delays in the implementation of the European Cybersecurity Certification Framework; (iii) the complexity and diversity of cybersecurity-related policies impacting the Union’s cyber posture; and (iv) rising security risks within ICT supply chains. In relation to the complexity and fragmentation of cybersecurity policies, the revision package proposes, as part of the reform of the European Cybersecurity Certification Framework, to promote certification as a compliance tool for businesses and to enable the development of certification schemes addressing the cyber posture of entities, with the aim of reducing compliance costs for entities subject to the NIS 2 Directive and other relevant Union cybersecurity legislation. This approach is intended to significantly simplify regulatory obligations for entities subject to multiple compliance regimes and to promote a more efficient allocation of resources among national authorities.

As set out in the explanatory memorandum accompanying the proposal for the Cybersecurity Act 2 Regulation, the Directive contributes in particular to achieving Specific Policy Objective 4 of the impact assessment, namely the establishment of mechanisms and conditions that facilitate compliance with cybersecurity requirements and enhance the coherence and effectiveness of their implementation. To that end, the proposed amendments to the NIS 2 Directive aim to simplify compliance and ensure a streamlined and consistent application of key aspects of the cybersecurity framework, including provisions on scope, definitions, ransomware reporting and the supervision of entities providing cross-border services.

The proposal for this Directive, which amends Directive (EU) 2022/2555 through simplification measures and alignment with the Cybersecurity Act 2, falls within the scope of the Regulatory Fitness and Performance Programme (REFIT). Together with the revision of the Cybersecurity Act, it contributes to improved legal clarity, the removal of inefficiencies and enhanced alignment across the Union’s cybersecurity legal framework, while supporting the effective functioning of the internal market and safeguarding the Union’s security and strategic autonomy.