NIS 2 Directive Article 37 – Mutual Assistance

In an increasingly interconnected digital landscape, the need for robust cybersecurity measures has never been more paramount. As organizations operate across multiple Member States within the European Union (EU), the coordination and collaboration between competent authorities become vital in ensuring the security and resilience of network and information systems.

The NIS 2 Directive, specifically Article 37, provides for Mutual Assistance among Member States to facilitate effective cybersecurity governance and response mechanisms. Let's examine the key aspects of Mutual Assistance outlined in Article 37 and its significance in enhancing cybersecurity cooperation in the EU.

• Cooperation Framework for Entities Operating Across Member States

• One of the core principles of the NIS 2 Directive is to foster cooperation and information sharing between competent authorities of different Member States when entities provide services or have network and information systems located in multiple jurisdictions. This ensures a harmonized approach towards cybersecurity supervision and enforcement, considering the transnational nature of cyber threats and vulnerabilities.

• The Role of Competent Authorities in Mutual Assistance

• Under Article 37, competent authorities must engage in mutual assistance by informing and consulting with each other on supervisory and enforcement measures through a designated single point of contact. This streamlined communication channel enables prompt and effective decision-making, facilitating a coordinated response to cybersecurity incidents and breaches that may have cross-border implications.

• Requesting and Providing Mutual Assistance

• Competent authorities have the prerogative to request another authority to undertake supervisory or enforcement measures, ensuring a consistent and proportionate response to cybersecurity challenges. Moreover, mutual assistance may involve various activities such as information sharing, supervisory measures, on-site inspections, off-site supervision, and targeted security audits to strengthen the resilience of network and information systems.

• Grounds for Refusal and Consultation Process

• While cooperation is encouraged under the NIS 2 Directive, competent authorities reserve the right to refuse a request for mutual assistance under specific circumstances. These may include instances where the requesting authority lacks competence, the request is disproportionate or pertains to matters contrary to national security, public security, or defense. In such cases, the authority must consult with concerned parties, including other competent authorities, the European Commission, and the European Union Agency for Cybersecurity (ENISA).

• Joint Supervisory Actions and Collaboration

• Furthermore, Article 37 allows competent authorities from different Member States to conduct joint supervisory actions upon mutual agreement. This collaborative approach enhances the exchange of best practices, expertise, and resources, enabling a more comprehensive assessment of cybersecurity risks and the implementation of preventive measures to mitigate potential threats effectively.

In conclusion, Mutual Assistance under NIS 2 Directive Article 37 is a cornerstone for strengthening cybersecurity cooperation and resilience across the EU. By fostering closer collaboration between competent authorities, sharing information, and facilitating joint supervisory activities, Member States can collectively combat evolving cyber threats and safeguard the integrity of critical infrastructure and digital services.

Embracing a proactive and unified approach to cybersecurity is essential in building a safer and more secure digital environment for businesses, governments, and citizens.