Laws & RegulationsNIS2 Directive
In Forcecross-sectorDirective (EU) 2022/2555
Directive on Measures for a High Common Level of Cybersecurity Across the Union (NIS2)
Also known as: NIS2 Directive
NIS2 is the EU's updated network and information security directive, replacing NIS1. It significantly expands the scope of covered entities, strengthens cybersecurity requirements, and increases penalties. It applies to medium and large enterprises in 18 critical sectors. Member states were required to transpose it into national law by October 17, 2024. It introduces management liability for cybersecurity failures and requires 24-hour early warning and 72-hour notification for significant incidents.
Jurisdiction
European Union
Regulator
European Union Agency for Cybersecurity
Effective
10/17/2024
Sector
cross-sector
Full Text / Summary
NIS2 represents a significant expansion of EU cybersecurity obligations. Key changes from NIS1 include: (1) Expanded scope — 18 sectors vs. 7 in NIS1; (2) Size threshold — medium and large enterprises (50+ employees or €10M+ turnover); (3) Management liability — management bodies personally liable for infringements; (4) Stricter incident reporting — 24-hour early warning, 72-hour notification, 1-month final report; (5) Minimum security measures — 10 specific measures including supply chain security, MFA, cryptography; (6) Higher penalties — up to €10M or 2% of global turnover for essential entities; (7) Supervisory regime — ex ante for essential, ex post for important entities; (8) Mutual recognition — security certifications under EU Cybersecurity Act. Implementation varies by member state.