NIS2 Directive
What is NIS2 Directive?
NIS2 DirectiveEU Directive 2022/2555 that raises baseline cybersecurity requirements and incident-reporting obligations for essential and important entities across the Union.
The NIS2 Directive (EU Directive 2022/2555) is the European Union's second-generation network and information security law, replacing the original NIS Directive of 2016. It was adopted in December 2022 and Member States were required to transpose it into national law by 17 October 2024. NIS2 expands the in-scope sectors (energy, transport, banking, health, digital infrastructure, public administration, manufacturing of critical products and more) and introduces stricter security measures, supply-chain risk management, executive accountability, and a 24-hour early warning followed by a 72-hour incident notification to the national CSIRT or competent authority. Sanctions include administrative fines of up to EUR 10 million or 2% of global annual turnover for essential entities.
● Examples
- 01
A medium-sized energy supplier in Germany classified as an essential entity that must register with the national authority and report significant incidents within 24 hours.
- 02
A managed-service provider scoped as an important entity required to implement Article 21 risk-management measures.
● Frequently asked questions
What is NIS2 Directive?
EU Directive 2022/2555 that raises baseline cybersecurity requirements and incident-reporting obligations for essential and important entities across the Union. It belongs to the Compliance & Frameworks category of cybersecurity.
What does NIS2 Directive mean?
EU Directive 2022/2555 that raises baseline cybersecurity requirements and incident-reporting obligations for essential and important entities across the Union.
How does NIS2 Directive work?
The NIS2 Directive (EU Directive 2022/2555) is the European Union's second-generation network and information security law, replacing the original NIS Directive of 2016. It was adopted in December 2022 and Member States were required to transpose it into national law by 17 October 2024. NIS2 expands the in-scope sectors (energy, transport, banking, health, digital infrastructure, public administration, manufacturing of critical products and more) and introduces stricter security measures, supply-chain risk management, executive accountability, and a 24-hour early warning followed by a 72-hour incident notification to the national CSIRT or competent authority. Sanctions include administrative fines of up to EUR 10 million or 2% of global annual turnover for essential entities.
How do you defend against NIS2 Directive?
Defences for NIS2 Directive typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for NIS2 Directive?
Common alternative names include: NIS 2, Directive (EU) 2022/2555.
● Related terms
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- compliance№ 351
DORA
EU Regulation 2022/2554 on Digital Operational Resilience for the financial sector, applicable from 17 January 2025.
- compliance№ 557
ISO/IEC 27001
The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.
- forensics-ir№ 525
Incident Response Plan
A documented, approved playbook that defines how an organisation prepares for, detects, contains, eradicates, recovers from, and learns from cyber incidents.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.