The EU Council has published its general approach on measures for a high common level of cybersecurity across the European Union, aimed at "further improving the resilience and incident response capacities of both the public and private sector and the EU as a whole".

The EU Council says that the general approach will allow it to start negotiations with the European Parliament and agree upon a final text for its new directive. Once adopted, the new directive (known as "NIS2") will replace EU Directive 2016/1148, concerning measures for a high common level of security of network and information systems (known as the "NIS directive").

NIS2 aims to "remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in the near future". It sets the baseline for cybersecurity risk management measures and reporting obligations across all sectors covered by the directive, including energy, transport, health and digital infrastructure.

NIS2 sets minimum rules for a regulatory framework and lays down mechanisms for effective cooperation between member states. It will also formally establish the European Cyber Crises Liaison Organisation Network (known as "EU-CyCLONe"), which will support the coordinated management of large-scale security incidents.

NIS2 also introduces a size-cap rule so that all medium-sized and large entities operating within the relevant sectors or providing the relevant services will fall within the directive's scope. There are also additional provisions to ensure the proportionality, higher level of risk management and clear-cut criticality criteria for determining which entities are covered. The EU Council has aligned the text with sector-specific legislation, streamlined reporting obligations and introduced a voluntary peer-learning mechanism to increase mutual trust and learning from good practices and experiences.

The EU Council will now start negotiations with the European Parliament, to agree, among other things, the final text of NIS2.

For further information on this topic please contact Ruth Haynes, Sarah Perry or Gayle McFarlane at Eversheds Sutherland by telephone (+44 20 7919 4500) or email ([email protected], [email protected] or [email protected]). The Eversheds Sutherland website can be accessed at