🔹 Definition
The NIS2 Directive is the updated European Union (EU) cybersecurity legislation, formally titled the Directive on Measures for a High Common Level of Cybersecurity Across the Union, which replaces the original NIS Directive (2016). Adopted in January 2023, NIS2 significantly expands the scope, requirements, and enforcement powers to enhance cyber resilience, incident response, and supply chain security across critical and important sectors in the EU.
The directive sets minimum cybersecurity obligations for a wide range of public and private entities and introduces stricter supervisory and penalty frameworks for non-compliance.
🔹 Frequently Asked Questions (FAQs)
Q1: What is the purpose of NIS2?
- To strengthen the cybersecurity posture of essential and important entities across the EU
- To improve cross-border cooperation on cyber incidents
- To address new threats including ransomware, supply chain attacks, and critical infrastructure disruptions
- To ensure resilience of digital infrastructure and services
Q2: Who is subject to NIS2?
NIS2 applies to both essential entities and important entities across a range of sectors, including:
- Essential: Energy, transport, health, banking, financial markets, public administration, water, space
- Important: Digital providers (e.g. cloud, data centers, online platforms), postal services, food, chemicals, manufacturing, waste management
Entities are generally included based on size (medium or large enterprises) and sectoral importance, regardless of whether they are public or private.
Q3: What are the key requirements under NIS2?
- Implementation of robust cybersecurity risk management practices
- Incident reporting obligations (within 24 hours for major incidents)
- Supply chain risk assessment and third-party controls
- Business continuity planning and crisis response procedures
- Designation of a responsible management body for compliance
- Regular audits and reporting to competent national authorities
Q4: What are the penalties for non-compliance?
- Administrative fines of up to €10 million or 2% of global annual turnover, whichever is higher
- Potential temporary bans, supervisory actions, or public reprimands
- Directors and executives may be held personally accountable for failure to ensure compliance
Q5: When does NIS2 take effect?
- The directive entered into force in January 2023
- Member states must transpose NIS2 into national law by 17 October 2024
- Enforcement and compliance requirements will become mandatory from that date onward
