TALLINN – The government on Thursday gave its nod to the official position of Estonia in favor of a planned directive of the European Union which aims to ensure an even and higher level of cybersecurity of network and information systems across the EU.
"The first union-wide legislative act concerning the security of network and information systems, meaning the NIS directive, was adopted in 2016, and it had to ensure an evenly high level of security in the entire EU," Estonia's Minister of Entrepreneurship and IT Andres Sutt said in a press release on Thursday
The minister observed that even though cyber capabilities have evened out across the EU, cyber threats have become more diverse and countries' dependence on digital solutions has increased significantly.
"To keep pace with changing cyber risks and resolve new challenges, we must review, in addition to national regulations, also bottlenecks in the current EU legislation and update it," Sutt said.
The proposal for the new directive, NIS2, covers more sectors and units compared with the current directive, seeks to harmonize the application of requirements to large and medium-sized enterprises, steps up security requirements, adds the obligation to notify significant cyber threats, specifies rules for the notification of a cyber incident, and addresses the security of supply chains.
Raul Rikk, the cyber security policy chief of Estonia, said that raising the EU-wide cybersecurity minimum threshold definitely is necessary.
"Although this level is more even in the EU today, we can see fragmentation in the context of the security of the network and information systems of different member states and sectors. In some countries some critical sectors and business operators are not covered by the directive, and also security requirements and the regulations concerning the obligation to notify incidents differ," Rikk said.
According to the official position of Estonia, Estonia favors a flexible approach which allows member states in justified cases, such as in the event of regional significance or significant cross-dependence, to assign also micro and small enterprises to the domain of the application of the directive.
In addition, Estonia is in favor of more precise requirements concerning the notification of cyber incidents, while avoiding the duplication of duties, and intensifying of cooperation and data exchanges between the competent institutions of the member states.
"The cybersecurity of several newly added fields is not regulated in Estonia today. Speaking of vital services, these are, for instance, communications services, manufacture of space and pharmaceutical products, including vaccines, and the chemical and food industry," Rikk said.
The official said that besides, in the future also such cyber incidents should be notified which could have led to a significant cyber threat.
The Commission in June 2020 opened a public consultation for a review of the NIS directive, and the proposal for the new directive was published in December as part of a bigger package which also includes a new EU cybersecurity strategy and a proposal for a directive on the resilience of critical entities.
The NIS directive has been transposed into Estonian law with the Cybersecurity Act.