Skip to main content
Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)

Status: In force

  • Transposition into national law until 17 October 2024

Summary

The NIS2 Directive repeals and modernises the NIS1 Directive which was the first piece of EU-wide legislation on cybersecurity. The NIS2 Directive extendts the framework to cover further sectors, taking into account the evolving cybersecurity threat landscape since the adoption of NIS1.

Scope

NIS2 applies to ‘essential entities’ and ‘important entities’ that provide services or carry out activities within the EU. Essential entities operate in highly critical sectors such as energy, transport, banking, water, financial market infrastructures, health, digital infrastructure, ICT service management (business-to-business), public administration and space. Important entities act in other critical sectors such as (among others) production, processing and distribution of food, manufacturing, production and distribution of chemicals, various other manufacturing and digital providers.

Key elements

Key obligations for regulated entities:

  • Cybersecurity requirements and management body obligations
  • 3-phase reporting obligations for significant incidents (24 hours early warning, 72 hours incident reporting, 1 month final report)
  • Communication of significant cyber threats to potentially affected recipients of the services without undue delay

Breaches of these obligations are subject to severe GDPR-style fines set by national law. The maximum fine must be at least the higher of:

  • €10m or 2 % of the total worldwide annual turnover for essential entities,
  • €7m or 1.4 % of the total worldwide annual turnover for important entities.

Challenges

  • Considerable increase in companies and sectors in scope
  • Harmonised EU regime for handling cyber incidents, with specific rules for incident reporting (short deadlines) and enforcement (high-fines) across Europe

Blogs