Skip to main content
Shaping Europe’s digital future

NIS2 Directive: new rules on cybersecurity of network and information systems

The NIS2 Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU. It also calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement.

Cybersecurity involves protecting network and information systems (NIS), their users, and other affected individuals from cyber incidents and threats. To respond to the increased exposure of Europe to cyber threats, Directive 2022/2555, also known as NIS2, replaced its predecessor, Directive 2016/1148 or NIS1. NIS2 raises the EU common level of ambition on cyber-security, through a wider scope, clearer rules and stronger supervision tools. It requires Member States to enhance their cybersecurity capabilities, while introducing risk management measures and reporting requirements to entities from more sectors and setting up rules for cooperation, information sharing, supervision, and enforcement of cybersecurity measures.

The directive mandates that each Member State adopt a national cybersecurity strategy, which includes policies for supply chain security, vulnerability management, and cybersecurity education and awareness. Member States must also establish and regularly update a list of operators of essential services, ensuring these entities comply with the directive's requirements. 

In addition to the sectors already covered by NIS 1, such as energy, transport, healthcare, finance, water management and digital infrastructure, these rules apply to providers of public electronic communications services, more digital services such as social platforms, waste water and waste management, manufacturing of critical products, postal and courier services, public administration, both at central and regional level or space. As a rule, medium-sized and large entities in these critical sectors, will have to take appropriate cybersecurity risk-management measures and notify relevant national authorities of significant incidents. These are incidents that could cause significant disruption or damage. 

The directive also includes provisions for supervision, enforcement, and voluntary peer reviews to enhance mutual trust and cybersecurity capabilities across the EU. It also introduces accountability of the top management for non-compliance with cybersecurity risk management measures thus bringing cybersecurity to the attention of the boardroom.

The directive sets up a network of Computer Security Incident Response Teams (CSIRTs) to exchange information on cyber threats, and respond to incidents. These teams are crucial for maintaining situational awareness and offering assistance. To manage large-scale cybersecurity incidents or crises, the directive creates the European cyber crisis liaison organisation network (EU-CyCLONe). This network supports coordinated management and ensures regular information exchange among Member States and EU institutions in case of large-scale incidents and crises. 

In parallel, the NIS Cooperation Group is a platform established by the NIS Directive to facilitate strategic cooperation and information exchange among EU Member States, the European Commission, and the EU Agency for Cybersecurity (ENISA). The group publishes non-binding guidelines and recommendations to support the implementation of the NIS Directive.

Background

The NIS 1 (Directive 2016/1148) was the first comprehensive EU legislation aimed at boosting cybersecurity of network and information systems to safeguard vital services for the EU's economy and society. In December 2020, the Commission proposed revising NIS 1, resulting in the adoption of NIS 2, which came into force in January 2023. Member States had until 17 October 2024 to transpose the NIS2 Directive into national law. NIS 2 repealed NIS1 as from 18 October 2024.

The Commission has initiated infringement procedures, by sending letters of formal notice to 23 Member States for failing to fully transpose the NIS2 Directive into national law by the deadline of 17 October 2024. Member States have to respond and complete their transposition of the directive. If they fail to do so, the Commission may issue a reasoned opinion, which is a formal request to comply with EU law. Continued non-compliance could eventually lead to the case being referred to the Court of Justice of the European Union, which can impose financial penalties.

Latest News

DIGIBYTE |
Cyber: EU and UK hold Second Cyber Dialogue

On 5 and 6 December, the European Union (EU) and the United Kingdom (UK) held their second cyber dialogue in London, as set out under the EU-UK Trade and Cooperation Agreement.

Súvisiaci obsah

Širšia perspektíva

The European Union works on various fronts to promote cyber resilience, safeguarding our communication and data and keeping online society and economy secure.

Hlbší pohľad

  • Komisia spolu s Agentúrou Európskej únie pre sieťovú a informačnú bezpečnosť úzko spolupracuje s členskými štátmi s cieľom zabezpečiť transpozíciu smernice NIS do vnútroštátnych právnych predpisov.