The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated framework on the security of network and information systems, replacing the original 2016 NIS Directive. It was adopted on 14 December 2022 and entered into force on 16 January 2023. EU member states were required to transpose it into national law by 17 October 2024.
NIS2 substantially broadens the scope of the original NIS regime. It distinguishes between "essential entities" (such as energy, transport, banking, financial market infrastructures, health, drinking and waste water, digital infrastructure, ICT service management, public administration, and space) and "important entities" (including postal services, waste management, chemicals, food, manufacturing of certain products, digital providers, and research). The size-cap rule generally brings in medium and large organisations in covered sectors, though member states may designate smaller entities where appropriate.
Core obligations include:
- Risk-management measures under Article 21, covering policies on risk analysis, incident handling, business continuity, supply-chain security, vulnerability handling, cryptography, access control, and multi-factor authentication.
- Incident reporting under Article 23: an early warning within 24 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month.
- Management accountability, with senior managers liable for compliance and required to undergo cybersecurity training.
- Enforcement powers including administrative fines up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% for important entities.
NIS2 also strengthens EU-level cooperation through the NIS Cooperation Group, CSIRTs Network, and the new EU-CyCLONe for coordinated response to large-scale cross-border incidents. It complements sectoral instruments such as DORA for financial entities and the CER Directive on physical resilience of critical entities.
Example
In October 2024, several EU member states including Germany and the Netherlands missed the 17 October transposition deadline for NIS2, prompting the European Commission to open infringement proceedings against delayed states.
Frequently asked questions
NIS2 expands sectoral scope, replaces case-by-case operator identification with a size-cap rule, introduces stricter incident reporting timelines, imposes management liability, and harmonises sanctions across member states.
Keep learning