Skip to main content
NormaGrid

NIS 2 Directive (NIS2)

In force Cybersecurity Directive Adopted: 14 December 2022 · Applies from: 18 October 2024

AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.

Summary

Directive (EU) 2022/2555 (NIS2) establishes a strengthened, harmonised EU-wide framework for cybersecurity risk management and incident reporting, replacing Directive (EU) 2016/1148 (NIS). It expands the range of covered sectors and entities, sets minimum cybersecurity measures and governance requirements, and enhances supervisory and enforcement powers of national authorities. It also reinforces EU-level cooperation mechanisms, including the CSIRTs network and EU-CyCLONe, and provides for administrative fines for non-compliance.

Who is affected?

Medium and large entities (and certain smaller entities in specific cases) operating in the sectors listed in NIS2 as “essential” or “important” entities, including operators of critical services and key digital providers. Management bodies of covered entities are directly responsible for approving and overseeing cybersecurity risk-management measures.

Scope

Cybersecurity risk-management, incident reporting, supervision and enforcement requirements for essential and important entities operating in the sectors listed in Annexes I and II across the EU.

Key Points

  • Replaces the 2016 NIS Directive and broadens coverage to additional sectors and entities classified as essential or important
  • Introduces baseline cybersecurity risk-management measures (including supply-chain security, business continuity, vulnerability handling and secure communications)
  • Sets staged incident reporting obligations (early warning, incident notification and final report) to national CSIRTs/competent authorities
  • Strengthens governance: management accountability, required training, and the ability for authorities to impose binding instructions and conduct audits
  • Enhances EU cooperation and crisis coordination through the CSIRTs network, ENISA support, and EU-CyCLONe
  • Provides for effective, proportionate and dissuasive penalties, including higher maximum administrative fines for essential entities

Key Deadlines

  • — Member State transposition deadline

Related Regulations

Frequently Asked Questions

Who must comply with the NIS2 Directive?

Medium and large entities, as well as certain smaller entities in specific cases, operating in the sectors listed as 'essential' or 'important' in NIS2 must comply. This includes operators of critical services and key digital providers across the EU.

What sectors and entities fall under the scope of NIS2?

NIS2 applies to entities in sectors listed in Annexes I and II, such as energy, transport, health, digital infrastructure, public administration, and more. Both essential and important entities are covered, with specific obligations depending on their classification.

What are the key cybersecurity obligations under NIS2?

Entities must implement risk-management measures, including supply-chain security, business continuity, vulnerability handling, and secure communications. Management bodies are responsible for approving and overseeing these measures.

What are the incident reporting requirements under NIS2?

Entities must follow a staged reporting process: submit an early warning within 24 hours, a notification within 72 hours, and a final report within one month to their national CSIRT or competent authority after detecting a significant incident.

What penalties can be imposed for non-compliance with NIS2?

NIS2 provides for effective, proportionate, and dissuasive penalties, including significant administrative fines. Essential entities may face higher maximum fines compared to important entities.

How does NIS2 interact with other EU cybersecurity laws?

NIS2 replaces the original NIS Directive and aligns with other EU cybersecurity frameworks, such as the Cybersecurity Act and sector-specific regulations. It aims to harmonise requirements and avoid regulatory overlap.

What are the practical steps for compliance with NIS2?

Entities should conduct a risk assessment, implement required cybersecurity measures, establish incident reporting processes, ensure management engagement, and provide staff training. Regular reviews and updates to security policies are also necessary.

What is the role of management bodies under NIS2?

Management bodies are directly responsible for approving cybersecurity risk-management measures and overseeing their implementation. They must also ensure adequate training and can be held liable for failures in compliance.

When does NIS2 take effect and what are the timelines for compliance?

NIS2 entered into force in January 2023. Member States must transpose the Directive into national law by 17 October 2024, after which entities must comply with the new requirements.

How does NIS2 enhance EU-level cooperation in cybersecurity?

NIS2 strengthens cooperation through mechanisms like the CSIRTs network, ENISA support, and the EU-CyCLONe for crisis management, facilitating information sharing and coordinated responses to cyber incidents across the EU.

Key Terms

Essential Entities
Organisations in critical sectors (e.g., energy, health, transport) that provide vital services and are subject to the most stringent NIS2 requirements.
Important Entities
Entities in key sectors that are not classified as essential but still play a significant role in the economy or society and are subject to NIS2 obligations.
CSIRT (Computer Security Incident Response Team)
A national or sectoral team responsible for handling cybersecurity incidents and supporting entities in incident response and reporting.
EU-CyCLONe (European Cyber Crises Liaison Organisation Network)
An EU-level mechanism for coordinating large-scale cybersecurity crisis management among Member States.
Risk-Management Measures
A set of technical and organisational actions required by NIS2 to identify, assess, and mitigate cybersecurity risks.
Incident Reporting
The obligation for entities to notify authorities about significant cybersecurity incidents in a staged manner (early warning, notification, final report).
Management Body
The governing body or executive management of an entity, directly responsible for cybersecurity oversight and compliance under NIS2.
Supply-Chain Security
Measures to ensure that suppliers and service providers do not introduce cybersecurity risks to the entity’s operations.
ENISA (European Union Agency for Cybersecurity)
The EU agency supporting Member States and entities in implementing NIS2 and enhancing overall cybersecurity capabilities.
Supervisory Authority
The national authority designated to oversee compliance, conduct audits, and enforce penalties under NIS2.