NIS2 Directive
The NIS2 Directive (EU 2022/2555) strengthens cybersecurity for critical infrastructure and essential services in the EU with expanded obligations and stricter sanctions.
Summary
The NIS2 Directive (Directive (EU) 2022/2555) is the revised EU directive on network and information security. It replaces the original NIS Directive of 2016, significantly expands its scope, tightens security requirements, and introduces stricter sanctions.
- Expanded scope: Now covers 18 sectors including energy, transport, health, digital infrastructure, public administration, and space.
- Two categories: Distinction between "essential" and "important" entities with graduated requirements.
- Reporting obligations: Significant security incidents must be reported within 24 hours.
- Management responsibility: Senior management is personally liable for implementing cybersecurity measures.
History
The original NIS Directive (2016/1148) was the EU's first cybersecurity legislation, setting minimum requirements for operators of essential services and digital service providers. Its fragmented implementation and the rapidly evolving threat landscape necessitated a comprehensive revision. The EU Commission published the NIS2 draft in December 2020. After trilogue negotiations, the directive entered into force on 16 January 2023. Member states were required to transpose it into national law by 17 October 2024. On 20 January 2026, the EU Commission proposed targeted amendments to the NIS2 Directive as part of a new cybersecurity package, aiming to increase legal clarity and simplify compliance, particularly for smaller enterprises.
Scope
NIS2 applies to medium and large organizations (50+ employees or EUR 10 million annual turnover) in 18 critical sectors: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service providers, public administration, space, postal services, waste management, chemicals, food, manufacturing, digital services, and research. Smaller entities may also be in scope if they fulfil critical roles.
Key Requirements
- Risk management measures: Risk analysis, incident management, business continuity, supply chain security, network security, cryptography, access control.
- Reporting obligations: Early warning within 24 hours, full notification within 72 hours, final report within one month.
- Management responsibility: Mandatory training for leadership; personal liability of senior management.
- Registration: Essential and important entities must register with national authorities.
- Sanctions: Essential entities: up to EUR 10 million or 2% of global annual turnover; important entities: up to EUR 7 million or 1.4%.
Related Frameworks
Corrections & Errata
1 correction:
- Wrong date for entry into force of original NIS Directive in key_dates
1 update:
- NIS2 amendment proposal from January 2026 missing