On 17 January 2023, EU Directive No. 2022/2555 of 14 December 2022 (the "NIS2 Directive"), which aims to improve the resilience and responsiveness of both the public and private sectors to cyber incidents, came into force. The new directive addresses the limitations and shortcomings of the previous NIS1 regulation, which was adopted in 2016 and was the EU's first legislative act on cybersecurity to achieve a high common level of cybersecurity in all Member States. One of the main criticisms of the NIS1 Directive was its operational vagueness, with obligations that were too general, leading to significant heterogeneity among Member States. The NIS2 Directive modernises the regulatory framework by specifying, strengthening, and expanding the scope of these obligations to more recipients. It is based on four key principles: personal data protection, fundamental rights, safety and cybersecurity. The NIS2 Directive's primary objectives include strengthening security requirements, addressing supply chain security, simplifying reporting obligations, introducing stricter oversight measures and enforcement requirements, and harmonising sanctions throughout the EU. One of the main innovations of the NIS2 Directive is its scope of application, which includes companies operating in specific sectors, eliminating the discretionary power of Member States to reshape the subjective scope of application. The directive applies to all large companies that provide (a) digital services, (b) healthcare services and (c) food production services, including the retail supply chain. However, it does not apply to entities operating in defence and national security, public safety, law enforcement and justice sectors, and parliamentary and central bank entities. For public administrations, the NIS2 Directive will apply to central and regional entities, while Member States may decide to extend the scope to the local level. Overall, the NIS2 Directive represents an important opportunity to modernise European cybersecurity systems and contributes to achieving the digitalisation objectives outlined in the Digital Compass to be realised by 2030. The Directive provides a more specific and detailed set of obligations, harmonising and simplifying reporting obligations and ensuring the same level of security in all Member States. By 17 October 2024, Member States shall adopt and publish the measures necessary to comply with the Directive.

Originally published by March, 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.