Adoption of the NIS2 Directive

The European Union recognizes the importance of cybersecurity for the protection of EU member states, organizations, and EU citizens. For this reason, cybersecurity is one of the topics with high importance on the EU’s agenda. In 2016, the EU issued the Network Information Security Directive (NIS) with the objective of strengthening cybersecurity across the Union. This directive, in turn, was adopted into the national legislation framework of the EU member states. This was the first EU-wide cyber security legislation which led to a series of similar directives to regulate cybersecurity in the EU.

Cybersecurity is a very dynamic domain, and the challenges presented change at a rapid rate. The EU understood this and started working on an updated NIS directive to cater for new challenges present within this decade. The result was the NIS2 directive, which was adopted just recently on the 28th of November 2022. The directive shows that the EU is on the road to strengthen cybersecurity and resilience across the whole Union. The new directive will cater for:

  • Stronger risk, stronger incident management and co-operation. The new directive aims to attune cybersecurity requirements and implementation of cybersecurity measures in different member states by setting minimum rules for a regulatory framework and presents a mechanism for effective co-operation between authorities in all EU member states
  • Widening of the scope of the rules. Different from the previous NIS, where EU member states were responsible for determining the criteria of operators of essential services, the NIS2 introduces a size-cap rule as a rule for identification of regulated entities.
  • The new directive was aligned with other sector-specific legislation such as digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER). This will provide legal clarity and coherence between the different directives.
  • A voluntary peer-learning mechanism which will increase mutual trust and learning from good practices and experiences in the Union, achieving a high common level of cybersecurity.
  • Streamlines the reporting obligations in order to avoid over-reporting and creating an excessive burden on the entities covered.

Once the NIS2 is published in the Official Journal of the European Union, the process to transpose this directive into the national legislation framework of the member states will commence.