NIS 2 Directive Article 19 – Peer Reviews

Introduction

The NIS 2 Directive Article 19 outlines a crucial initiative aimed at bolstering cybersecurity capabilities across Member States within the European Union. By January 17, 2025, the Cooperation Group, in collaboration with the Commission, ENISA, and CSIRTs network, will establish peer review methodologies to facilitate knowledge-sharing, build trust, and improve cybersecurity resilience. This article delves into the key aspects of this directive and its significance in the realm of cybersecurity.

• Peer Review Objectives:

• The primary goals of peer reviews under the NIS 2 Directive Article 19 are to evaluate the implementation of cybersecurity risk-management measures, assess reporting obligations adherence, review the capabilities and resources of competent authorities, and enhance the operational functionalities of CSIRTs. These reviews encompass a wide range of areas including mutual assistance, cybersecurity information-sharing arrangements, and addressing cross-border or cross-sector cybersecurity issues.

• Methodology and Participation:

• Participation in peer reviews is voluntary, with cybersecurity experts from at least two different Member States conducting the assessments. The methodology for these reviews will incorporate fair criteria for selecting experts, with oversight from the Commission and ENISA. Member States have the flexibility to identify specific review issues, conduct self-assessments, and engage in the review process in a collaborative manner.

• Review Process and Confidentiality:

• Peer reviews will entail a combination of on-site visits and off-site exchanges, with the reviewed States providing requisite information while safeguarding confidential data. To ensure integrity and data protection, the Cooperation Group will establish codes of conduct for experts, emphasizing the responsible use of information solely for review purposes. Furthermore, reviewed aspects will not undergo re-evaluation for a period of two years, except under special circumstances.

• Reporting and Recommendations:

• Following the review process, experts will draft comprehensive reports encompassing findings, conclusions, and recommendations. These reports will undergo scrutiny by the reviewed States, and their feedback will be integrated into the final assessment. Subsequently, the reports will be submitted to the Cooperation Group and the CSIRTs network for further deliberation and action.

• Transparency and Accountability:

• To promote transparency, the reports resulting from peer reviews may be made publicly available either in full or in redacted form. This transparency underscores the commitment to accountability and knowledge-sharing within the cybersecurity domain. Additionally, mechanisms to disclose conflicts of interest and provisions for States to object to specific experts ensure the impartiality and credibility of the review process.

Conclusion: