My favourites


About the NIS 2 Directive

Full name: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)


Type: Directive


Objective and key elements:

  • Enhancing the preparedness of the Member States (cooperating among other Member states through a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority and EU-wide Cooperation Group)
  • Requirements to form a culture of security across sectors that are vital for the EU economy and society and that rely heavily on ICTs, such as:
    • energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure
  • Operators of essential services (as appointed) in the above sectors will be obliged to take appropriate security measures and notify relevant national authorities of serious incidents
  • Requirements for key digital service providers, such as search engines, cloud computing services and online marketplaces, to comply with the security and notification requirements  under NIS 2

Relevant to: Operators of essential services, key digital service providers


Status: In force since 16 January 2023, to be implemented by the Member States by 17 October 2024


Related legislation:  Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (CER-directive)

(Last updated 7 March 2023)