Article 5, NIS 2 Directive (Proposal 16.12.2020).
National cybersecurity strategy
1. Each Member State shall adopt a national cybersecurity strategy defining the strategic objectives and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity. The national cybersecurity strategy shall include, in particular, the following:
(a) a definition of objectives and priorities of the Member States’ strategy on cybersecurity;
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2 and the roles and responsibilities of public bodies and entities as well as other relevant actors;
(c) an assessment to identify relevant assets and cybersecurity risks in that Member State;
(d) an identification of the measures ensuring preparedness, response and recovery to incidents, including cooperation between the public and private sectors;
(e) a list of the various authorities and actors involved in the implementation of the national cybersecurity strategy;
(f) a policy framework for enhanced coordination between the competent authorities under this Directive and Directive (EU) XXXX/XXXX of the European Parliament and of the Council 38 [Resilience of Critical Entities Directive] for the purposes of information sharing on incidents and cyber threats and the exercise of supervisory tasks.
2. As part of the national cybersecurity strategy, Member States shall in particular adopt the following policies:
(a) a policy addressing cybersecurity in the supply chain for ICT products and services used by essential and important entities for the provision of their services;
(b) guidelines regarding the inclusion and specification of cybersecurity-related requirements for ICT products and service in public procurement;
(c) a policy to promote and facilitate coordinated vulnerability disclosure within the meaning of Article 6;
(d) a policy related to sustaining the general availability and integrity of the public core of the open internet;
(e) a policy on promoting and developing cybersecurity skills, awareness raising and research and development initiatives;
(f) a policy on supporting academic and research institutions to develop cybersecurity tools and secure network infrastructure;
(g) a policy, relevant procedures and appropriate information-sharing tools to support voluntary cybersecurity information sharing between companies in compliance with Union law;
(h) a policy addressing specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats.
3. Member States shall notify their national cybersecurity strategies to the Commission within three months from their adoption. Member States may exclude specific information from the notification where and to the extent that it is strictly necessary to preserve national security.
4. Member States shall assess their national cybersecurity strategies at least every four years on the basis of key performance indicators and, where necessary, amend them. The European Union Agency for Cybersecurity (ENISA) shall assist Member States, upon request, in the development of a national strategy and of key performance indicators for the assessment of the strategy.
Note: This is not the final text of the NIS 2 Directive. This is the text of the NIS 2 Directive Proposal of 16.12.2020.