My favourites

NIS 2 Directive

About the NIS 2 Directive

Full name: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)

Type: Directive

Objective and key elements:

  • Enhance preparedness for the Member States (such as forming and cooperating among other Member states through a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority and EU-wide Cooperation Group.
  • Requirements to form a culture of security across sectors that are vital for EU economy and society and that rely heavily on ICTs, such as:
    • energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
  • Operators of essential services (as appointed) in the above sectors will be obliged to take appropriate security measures and notify relevant national authorities of serious incidents.
  • Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements  under NIS 2.

Relevant to: Operators of essential services, as well as key digital service providers.

Status: In force since 16 January 2023, to be implemented by the Member States by 17 October 2024.

Related legislation:  Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (CER-directive)

(Last updated 12 February 2023)