Today, on 27 December 2022, the NIS2 Directive was officially published in the Official Journal of the European Union and will enter into force in twenty days.
The NIS 2 Directive replaces and repeals the NIS Directive (Directive 2016/1148/EC). NIS 2 improves cybersecurity risk management and introduces reporting obligations across sectors such as energy, transport, health, and digital infrastructure.
NIS2 sets the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health, and digital infrastructure.
The revised directive aims to remove divergences in cybersecurity requirements and in the implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement.
The directive formally establishes the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which supports the coordinated management of large-scale cybersecurity incidents.
While under the old NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 directive introduces a size-cap rule. This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.
Here is the text of the Directive and the link to the Official Journal.
Sources:
- “The NIS 2 Directive” website. Retrieved on 27 December 2022 at https://www.nis-2-directive.com/
- Official Journal of the European Union, Volume 65, 27 December 2022, English edition. Retrieved on 27 December 2022 at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2022:333:FULL&from=FR