Article 17 International cooperation

Summary What does Article 17 of the NIS 2 directive say?

This brief article addresses the Union's ability to engage with third countries and international organisations on cybersecurity cooperation matters.

It provides the legal basis for the EU to formalise such relationships through international agreements, specifically enabling external parties to participate in the key cooperative structures established under this Directive: the Cooperation Group, the CSIRTs network, and EU-CyCLONe.

Important points:

The Union may conclude international agreements with third countries or international organisations to allow their participation in the Cooperation Group, the CSIRTs network, and EU-CyCLONe.
Any such agreements must comply with Union data protection law.
The agreements are concluded in accordance with Article 218 TFEU, the standard treaty-making procedure for the EU.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

The Union may, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in particular activities of the Cooperation Group, the CSIRTs network and EU-CyCLONe. Such agreements shall comply with Union data protection law.

Relevant recitals

Recital 73 International agreements

The Union can, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in particular activities of the Cooperation Group, the CSIRTs network and EU-CyCLONe. Such agreements should ensure the Union’s interests and the adequate protection of data. This should not preclude the right of Member States to cooperate with third countries on management of vulnerabilities and cybersecurity risk management, facilitating reporting and general information sharing in accordance with Union law.

Recital 74 Member states' cooperation with third countries

In order to facilitate the effective implementation of this Directive with regard, inter alia, to the management of vulnerabilities, cybersecurity risk-management measures, reporting obligations and cybersecurity information-sharing arrangements, Member States can cooperate with third countries and undertake activities that are considered to be appropriate for that purpose, including information exchange on cyber threats, incidents, vulnerabilities, tools and methods, tactics, techniques and procedures, cybersecurity crisis management preparedness and exercises, training, trust building and structured information-sharing arrangements.

Recital 88 Industrial espionage

Essential and important entities should also address risks stemming from their interactions and relationships with other stakeholders within a broader ecosystem, including with regard to countering industrial espionage and protecting trade secrets. In particular, those entities should take appropriate measures to ensure that their cooperation with academic and research institutions takes place in line with their cybersecurity policies and follows good practices as regards secure access and dissemination of information in general and the protection of intellectual property in particular. Similarly, given the importance and value of data for the activities of essential and important entities, when relying on data transformation and data analytics services from third parties, those entities should take all appropriate cybersecurity risk-management measures.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.