Skip to main content
Shaping Europe’s digital future logo
Factsheet / infographic | Publication

Revised Directive on Security of Network and Information Systems (NIS2)

The revised Directive was proposed on 16 December 2020.

Download the factsheet as a PDF

The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 and helped achieve a higher and more even level of security of network and information systems across the EU. In view of the unprecedented digitalisation in the last years, the time has come to refresh it..

HOW ?

Greater capabilities

NIS

  • EU Member States improve their cybersecurity capabilities.

NIS 2

  • More stringent supervision measures and enforcement are introduced.
  • A list of administrative sanctions, including fines for breach of the cybersecurity risk management and reporting obligations is established.

Cooperation

NIS

  • Increased EU-level cooperation.

NIS 2

  • Establishment of European Cyber crises liaison organisation network (EU- CyCLONe) to support coordinated management of large scale cybersecurity incidents and crises at EU level
  • Increased information sharing and cooperation between Member State authorities with enhanced role of the Cooperation Group.
  • Coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU is established.

Cybersecurity risk management

NIS

  • Operators of Essential Services (OES) and Digital Service Providers (DSP) have to adopt risk management practices and notify significant incidents to their national authorities.

NIS 2

  • Strengthened security requirements with a list of focused measures including incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing, and the effective use of encryption.
  • Cybersecurity of supply chain for key information and communication technologies will be strengthened.
  • Accountability of the company management for compliance with cybersecurity risk-management measures.
  • Streamlined incident reporting obligations with more precise provisions on the reporting process, content and timeline.

SECTORS COVERED BY THE NIS DIRECTIVE

NIS

HEALTHCARE

TRANSPORT

BANKING AND FINANCIAL MARKET INFRASTRUCTURE

DIGITAL INFRASTRUCTURE

WATER SUPPLY

ENERGY

DIGITAL SERVICE PROVIDERS

NIS 2

Expanded scope to include more sectors and services as either essential or important entities.

PROVIDERS OF PUBLIC ELECTRONIC COMMUNICATIONS NETWORKS OR SERVICES

DIGITAL SERVICES SUCH AS SOCIAL NETWORKING SERVICES PLATFORMS AND DATA CENTRE SERVICES

WASTE WATER AND WASTE MANAGEMENT

SPACE

MANUFACTURING OF CERTAIN CRITICAL PRODUCTS (SUCH AS PHARMACEUTICALS, MEDICAL DEVICES, CHEMICALS)

POSTAL AND COURIER SERVICES

FOOD

PUBLIC ADMINISTRATION

Related content

Summary Report on the open public consultation on the Directive on security of network and information systems (NIS Directive)

Consultation results | 27 January 2021

The public stakeholder consultation took place between 7 July and 2 October 2020. It was conducted to gather views on the topic of cybersecurity policy as well as on the different elements of the NIS Directive. The overall number of responses submitted was 206. The results of the consultation were used for the evaluation and impact assessment of the NIS Directive.