Skip to main content
Shaping Europe’s digital future

NIS2 Directive: new rules on cybersecurity of network and information systems

The NIS2 Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU. It also calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement.

Cybersecurity involves protecting network and information systems (NIS), their users, and other affected individuals from cyber incidents and threats. To respond to the increased exposure of Europe to cyber threats, Directive 2022/2555, also known as NIS2, replaced its predecessor, Directive 2016/1148 or NIS1. NIS2 raises the EU common level of ambition on cyber-security, through a wider scope, clearer rules and stronger supervision tools. It requires Member States to enhance their cybersecurity capabilities, while introducing risk management measures and reporting requirements to entities from more sectors and setting up rules for cooperation, information sharing, supervision, and enforcement of cybersecurity measures.

The directive mandates that each Member State adopt a national cybersecurity strategy, which includes policies for supply chain security, vulnerability management, and cybersecurity education and awareness. Member States must also establish and regularly update a list of operators of essential services, ensuring these entities comply with the directive's requirements. 

In addition to the sectors already covered by NIS 1, such as energy, transport, healthcare, finance, water management and digital infrastructure, these rules apply to providers of public electronic communications services, more digital services such as social platforms, waste water and waste management, manufacturing of critical products, postal and courier services, public administration, both at central and regional level or space. As a rule, medium-sized and large entities in these critical sectors, will have to take appropriate cybersecurity risk-management measures and notify relevant national authorities of significant incidents. These are incidents that could cause significant disruption or damage. 

The directive also includes provisions for supervision, enforcement, and voluntary peer reviews to enhance mutual trust and cybersecurity capabilities across the EU. It also introduces accountability of the top management for non-compliance with cybersecurity risk management measures thus bringing cybersecurity to the attention of the boardroom.

The directive sets up a network of Computer Security Incident Response Teams (CSIRTs) to exchange information on cyber threats, and respond to incidents. These teams are crucial for maintaining situational awareness and offering assistance. To manage large-scale cybersecurity incidents or crises, the directive creates the European cyber crisis liaison organisation network (EU-CyCLONe). This network supports coordinated management and ensures regular information exchange among Member States and EU institutions in case of large-scale incidents and crises. 

In parallel, the NIS Cooperation Group is a platform established by the NIS Directive to facilitate strategic cooperation and information exchange among EU Member States, the European Commission, and the EU Agency for Cybersecurity (ENISA). The group publishes non-binding guidelines and recommendations to support the implementation of the NIS Directive.

Background

The NIS 1 (Directive 2016/1148) was the first comprehensive EU legislation aimed at boosting cybersecurity of network and information systems to safeguard vital services for the EU's economy and society. In December 2020, the Commission proposed revising NIS 1, resulting in the adoption of NIS 2, which came into force in January 2023. Member States had until 17 October 2024 to transpose the NIS2 Directive into national law. NIS 2 repealed NIS1 as from 18 October 2024.


 

Latest News

The EU flag next to the South Korean one.
  • Press release
  • 20 May 2025

The EU and the Republic of Korea exchanged on cyber policy developments and discussed the cyber threat landscape and respective frameworks to prevent, deter and respond to cyber threats. They also addressed cyber security and resilience.

Portrait image of Roberto Viola and Doina Nistor.
  • Digibyte
  • 20 May 2025

On 20 May, Roberto Viola, Director-General for DG CONNECT, and Doina Nistor, Deputy Prime Minister, Minister of Economic Development and Digitalisation of the Republic of Moldova, concluded an amendment to Moldova’s Digital Europe Programme association agreement.

A digital padlock with a circuit board design against a blue background with binary code. It is related to computer security, data security, and cyber security.
  • Press release
  • 07 May 2025

The European Commission decided to send a reasoned opinion to 19 Member States (Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, the Netherlands, Austria, Poland, Portugal, Slovenia, Finland and Sweden) for failing to notify full transposition of the NIS2 Directive (Directive (EU) 2022/2555).

Related Content

Big Picture

The European Union works on various fronts to promote cyber resilience, safeguarding our communication and data and keeping online society and economy secure.

Dig deeper