On 11 March 2021, the EDPS published its Opinion 5/2021 on the Proposal of 16 December 2020 for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (→ eucrim 4/2020, 282).

The current EU Network and Information Security Directive 2016/1148 (the NIS Directive) of 6 July 2016 concerns measures for a high common security level of network and information systems across the Union, with the aim of improving the functioning of the internal market. To this end, it obliges Member States to:

• Adopt a national strategy on the security of network and information systems and to designate tasks related to the security of network and information systems to national competent authorities, single points of contact, and Computer Security Incident Response Teams (CSIRTs);
• Create a cooperation group to support and facilitate strategic cooperation and the exchange of information among Member States;
• Create a CSIRTs network to develop trust and confidence between Member States and to promote swift and effective operational cooperation;
• Establish security and notification requirements for operators of essential services and for digital service providers.

An impact assessment conducted by the European Commission in 2020, however, showed that the NIS Directive has limitations, e.g., a residual low cyber resilience level of businesses operating in the EU, inconsistent resilience across Member States and sectors, a low level of joint situational awareness, and a lack of joint crisis response.

Hence, the Proposal of 16 December 2020 has a threefold aim:

• To increase the level of cyber resilience of a comprehensive set of businesses operating in the EU across all relevant sectors;
• To reduce inconsistencies in resilience across the internal market in the sectors already covered by the NIS Directive;
• To improve the level of joint situational awareness and the collective capability to prepare and respond to cybersecurity challenges.

The EDPS welcomes the aims of the Proposal of 16 December 2020 in addressing a wider set of entities than the NIS Directive and in introducing stronger security measures, including mandatory risk management, minimum standards for these measures, and relevant supervision and enforcement provisions. To achieve a fully comprehensive approach, however, the EDPS recommends explicitly including Union institutions, offices, bodies, and agencies into the scope of the legislative act.

The EDPS does not expect the proposal to affect the application of existing EU laws governing the processing of personal data but instead effectively complement them. Therefore, the EDPS calls for a clear definition of the term “cybersecurity” in the proposal and recommends clearly outlined mechanisms for involvement of the EDPS, the European Data Protection Board, and competent authorities of the regulatory actors.