Home

NIS2

NIS2 is the European Union directive intended to raise the level of cybersecurity across the Union by harmonizing security requirements, incident reporting, and supervisory practices for critical sectors and essential service providers. Formally known as Directive (EU) 2022/2554, it replaces the earlier NIS Directive (NIS1) and broadens the scope, tightening and clarifying obligations for organizations and member states.

Scope and sectors govern which entities are covered. NIS2 designates essential and important entities across a

Key obligations require organizations to implement risk management measures proportionate to the risks they face. This

Governance and enforcement involve national competent authorities and CSIRTs, with ENISA providing guidance and support to

Implementation timelines require member states to transpose the directive into national law by a specified deadline,

wide
range
of
sectors,
including
energy,
transport,
banking
and
financial
market
infrastructure,
health
care
providers
and
hospitals,
drinking
water
supply
and
distribution,
wastewater
treatment,
and
digital
infrastructure
such
as
cloud
computing
services,
data
centers,
content
delivery
networks,
internet
exchange
points,
and
certain
providers
of
essential
digital
services.
Public
administrations
and
space-related
activities
are
also
included.
The
directive
expands
coverage
to
medium
and
large
entities
and
emphasizes
supply
chain
and
subcontractor
risk
as
a
core
concern.
includes
establishing
appropriate
security
policies
and
governance,
incident
handling
and
incident
reporting
to
the
relevant
national
authority
or
CSIRT,
business
continuity
and
disaster
recovery
planning,
and
security
of
the
supply
chain.
Organizations
may
also
be
expected
to
conduct
regular
security
testing,
disclose
vulnerabilities
where
applicable,
and
apply
encryption
or
other
protective
measures
where
appropriate.
member
states.
Penalties
for
non-compliance
are
set
by
each
member
state
and
can
be
substantial,
reflecting
the
directive’s
emphasis
on
effective
and
dissuasive
enforcement.
after
which
the
substantive
requirements
take
effect
through
national
authorities
and
designated
supervisory
bodies.
The
overarching
aim
is
to
reduce
fragmentation,
improve
resilience,
and
strengthen
the
EU’s
collective
cyber
posture.