NIS2 Directive

Directive 2022/2555 on measures for a high common level of cybersecurity

Background and Scope

The Network and Information Security Directive 2 (NIS2) replaced its predecessor, NIS1 (Directive 2016/1148), with the aim of raising the EU’s common level of ambition on cybersecurity through a wider scope, clearer rules, and stronger supervision tools. NIS1 had been criticized for fragmented national implementations, weak enforcement, and vague reporting obligations, which limited its practical impact.

In addition to the sectors already covered by NIS1, including energy, transport, healthcare, finance, water management, and digital infrastructure, NIS2 also applies to providers of public electronic communications, social platforms, waste and wastewater management, critical product manufacturing, postal and courier services, public administration at both central and regional levels, and the space sector. As a general rule, medium-sized and large entities in these critical sectors are required to take appropriate cybersecurity risk-management measures and notify relevant national authorities of significant incidents.

The Digital Omnibus Regulation Proposal

In its Digital Omnibus Regulation Proposal, the Commission proposed that ENISA shall establish an EU-wide entry point for incident reporting under several EU regulations, including NIS2, eIDAS, DORA, CER Directive, and GDPR. The purpose is to reduce administrative burdens for businesses and enable a more focused approach to incident reporting.

Proposal for a Directive on Simplification Measures and Alignment with the Cybersecurity Act

In January 2026, the Commission proposed a new cybersecurity package to strengthen the EU’s cybersecurity resilience. The package simplifies compliance with EU cybersecurity rules for companies operating in the EU and introduces targeted amendments to NIS2, aiming to increase legal clarity through simplified jurisdictional rules, streamlined ransomware reporting, and a reinforced coordinating role for ENISA in the supervision of cross-border entities.

Key Obligations

• Risk Management: Entities must implement appropriate technical and organisational cybersecurity risk-management measures.
• Incident reporting: NIS2 requires organisations to report significant incidents within a shorter timeframe than under NIS1.
• Supply chain security: Each Member State must adopt a national cybersecurity strategy that includes policies for supply chain security and vulnerability management.
• Governance and training: Regular security audits, enhanced incident response capabilities, and employee training and awareness programmes are required.
• Cooperation: NIS2 sets up a network of Computer Security Incident Response Teams (CSIRTs) and establishes the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) to support coordinated management of large-scale incidents.