The NIS2 Directive (Directive 2022/2555) sets a harmonized legal framework to improve cybersecurity across the European Union. Covering 18 critical sectors, the directive requires EU Member States to adopt national cybersecurity strategies and work together on cross-border threat response, enforcement, and information sharing.

What is the NIS2 Directive?

Cybersecurity is about safeguarding network and information systems (NIS), along with the people and organizations that depend on them, from cyberattacks and incidents. To address the EU’s growing exposure to threats, NIS2 replaced NIS1 (Directive 2016/1148) with stronger requirements, clearer rules, and a wider scope. It raises the overall level of cyber resilience in Europe by:

  • Expanding the number of covered sectors and entities.
  • Introducing stricter risk management and reporting obligations.
  • Holding top management accountable for compliance.
  • Enhancing cooperation, supervision, and enforcement mechanisms.

Key Requirements for EU Member States

Each Member State must:

  • Implement a national cybersecurity strategy covering supply chain security, vulnerability management, and cyber awareness.
  • Maintain and update a list of operators of essential services that must comply with NIS2 obligations.
  • Ensure entities adopt risk-based cybersecurity measures and promptly report major incidents to national authorities.

Expanded Scope of Critical Sectors

NIS2 goes beyond the sectors in NIS1 (energy, transport, finance, healthcare, water, and digital infrastructure). The directive now also applies to:

  • Providers of public electronic communications and digital services (including social platforms).
  • Waste and wastewater management.
  • Manufacturers of critical products.
  • Postal and courier services.
  • Public administration (central and regional).
  • The space sector.

In general, medium-sized and large organizations in these sectors must meet NIS2 compliance standards to ensure continuity and security of vital services.

Enforcement, Accountability, and Cooperation

The directive emphasizes top-level accountability, making boards and executives responsible for ensuring cybersecurity compliance. It also establishes:

  • Computer Security Incident Response Teams (CSIRTs): to share intelligence and respond to threats.
  • EU-CyCLONe (European Cyber Crisis Liaison Organisation Network): to coordinate responses to large-scale cyber incidents.
  • The NIS Cooperation Group: bringing together EU Member States, the European Commission, and ENISA to issue strategic guidance and best practices.

Background of NIS2

The original NIS1 Directive (2016/1148) was the EU’s first major cybersecurity law, designed to protect essential services. In December 2020, the European Commission proposed an update to address new challenges, leading to the adoption of NIS2 in January 2023. Member States must transpose NIS2 into national law by October 17, 2024, with NIS1 officially repealed on October 18, 2024.