The EU NIS 2 Directive, formally known as Directive (EU) 2022/2555, establishes a unified legal framework to enhance cybersecurity across the European Union by setting stricter and more comprehensive requirements for network and information systems security. It replaces the original NIS Directive from 2016 and significantly expands its scope to cover a wider range of sectors—18 critical sectors including energy, transport, healthcare, finance, digital infrastructure, public administration, manufacturing of critical products, and new areas such as wastewater management and social platforms. The directive mandates that medium and large entities in these sectors implement risk management measures, report significant cybersecurity incidents, and comply with enhanced supervision and enforcement mechanisms. It also requires Member States to develop national cybersecurity strategies, improve cross-border cooperation, and ensure supply chain security and vulnerability management. NIS 2 introduces a classification of entities as “essential” or “important” based on sector and size, with corresponding obligations and stricter penalties. The directive aims to raise the overall EU cybersecurity level, addressing the growing threat landscape and fostering a more resilient digital single market.
Publication's URL
https://eur-lex.europa.eu/eli/dir/2022/2555/oj/engAdditional documents on this topic
- EU Commission Delegated Regulation 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
- EU Commission Delegated Regulation 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
- EU Commission Delegated Regulation 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
- BSI Standard 200-4: Business Continuity Management (BCM)
- EU Regulation 2022/2554 Digital Operational Resilience Act (DORA)