NIS2 Directive

The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated framework for achieving a high common level of cybersecurity across the Union. It entered into force on 16 January 2023 and must be transposed into national law by 17 October 2024.

Scope

NIS2 significantly expands the scope of its predecessor (NIS Directive) by covering more sectors and entity types, including energy, transport, health, digital infrastructure, ICT service management, public administration, and space.

Key Requirements

• Cybersecurity risk-management measures (Art. 21)
• Incident reporting obligations within 24/72 hours (Art. 23)
• Supply chain security requirements
• Management body accountability and training
• Cooperation and information sharing between member states
• Enforcement with administrative fines up to EUR 10 million or 2% of global turnover

Articles

Browse the full text of the directive article by article using the table of contents on the left.