NIS2 guidelines on sector specific Union legal acts & Part-IS

NIS2 guidelines on sector specific Union legal acts & Part-IS

The NIS2 Directive is an EU legislation aiming to set up a high common level of cybersecurity across the EU Member States (MS). The Directive has been published on 27/12/2022 and amends the previous Directive on the security of network and information systems (the NIS Directive) that entered into force in August 2016. EU MS will have to transpose NIS 2 Directive into their national laws by the 17th of October 2024 and shall apply those measures by the 18th of October 2024. You can find more information on NIS2 and its connection to the aviation domain in this community post.

According to the NIS2 Directive:

In order to avoid the fragmentation of cybersecurity provisions of Union legal acts, where further sector-specific Union legal acts pertaining to cybersecurity risk-management measures and reporting obligations are considered to be necessary to ensure a high level of cybersecurity across the Union, the Commission should assess whether such further provisions could be stipulated in an implementing act under this Directive.

Article 4 of the Directive cover these aspects and Art 4 (3) announced that guidelines on Article 4 (1) and (2) will be provided for further clarification.

On the 18th of September 2023, the European Commission has published a Communication providing those guidelines the relationship between NIS2 and current and future sector-specific Union legal acts addressing cybersecurity risk-management measures or incident reporting requirements. The Appendix to these guidelines lists the sector-specific Union legal acts that the Commission considers to fall within the scope of Article 4 of NIS2.

The only sector-specific Union legal act that has been included in the Appendix and as such is considered as equivalent as per Article 4 of Directive (EU) 2022/2555 is Regulation (EU) 2022/2554 (Digital Operational Resilience Act, DORA).

Consequently, Part-IS is not considered as a sector-specific Union legal act for the time being. However, as NIS2 is a Directive, meaning that it has to be transposed to the EU MS national laws, the interplay between those two may be addressed at a national level.

The guidelines also provide some information on what was considered during the assessment of the equivalence of sector-specific Union legal acts.

What are your thoughts on this? Let us know in the comments below!