The NIS2 Directive: Towards a Firmer EU-wide Cybersecurity ‎Framework

Privacy & Cybersecurity Newsletter
April 2023


At the end of 2022, the European Parliament adopted the “Directive on measures for a high ‎common level of cybersecurity across the Union” or the “NIS2 Directive” in short. This new ‎Directive must be implemented by all EU Member States by October 17, 2024, and replaces ‎the former “Network and Information Security Directive” (the “first NIS Directive”), which ‎dates from 2016.‎

A recent review of the first NIS Directive has shown a wide divergence in its implementation ‎by Member States. For instance, the delineation of the scope of the first NIS Directive was ‎largely left to the discretion of the Member States. Further, the former Directive allowed ‎Member States wide discretion as regards the implementation of security and incident ‎reporting obligations laid down in the first NIS Directive, leading to significant differences at ‎a national level. ‎

Where the first NIS Directive focused primarily on the security of network and information ‎systems, the scope of the new NIS2 Directive targets the broader “cybersecurity” topic. ‎Companies subject to the NIS2 Directive will be required to take adequate measures in ‎terms of compliance with cybersecurity risk-management measures and reporting ‎obligations. If they fail to do so, they can be subject to fines that are calculated based on ‎their global turnover in a way similar to the General Data Protection Regulation (GDPR).‎

In view of organizing appropriate oversight, the NIS2 Directive: ‎

  • sets out minimum rules regarding the functioning of a coordinated regulatory ‎framework between the Member States;‎
  • ‎lays down mechanisms for effective cooperation among the responsible authorities ‎in each Member State; and ‎
  • provides for effective remedies and enforcement measures which are key to the ‎effective enforcement of those obligations.‎


For the purpose of compliance with cybersecurity risk-management measures and reporting ‎obligations, the NIS2 Directive distinguishes between essential entities and important ‎entities. Determining factors are the extent to which entities are critical as regards their ‎sector or the type of service they provide, as well as their size. This way, the EU intends to ‎strike a fair balance between risk-based requirements and obligations imposed on ‎companies on the one hand, and the administrative burden stemming from the supervision ‎of compliance on the other. ‎

Each Member State must draw up a list of essential and important entities, including ‎entities providing domain name registration services.‎

Compared to the first NIS Directive, the NIS2 Directive covers additional sectors that are ‎critical for the economy and society, including providers of public electronic ‎communications networks and services, data centre services, waste water and waste ‎management, manufacturing of critical products, postal and courier services and public ‎administration entities. Also, the healthcare sector is covered more broadly to include, for ‎example, research and development of medicine and the manufacture of pharmaceutical ‎products.‎The following sectors are considered highly critical in terms of the NIS2 Directive, where all ‎medium and large-sized companies are included in the scope:‎

  1. Energy, in particular electricity, district heating and cooling, oil, gas, and hydrogen;‎
  2. Transport by air, rail, water and road;‎
  3. Banking / credit institutions;‎
  4. Financial market infrastructures;‎
  5. Healthcare, including healthcare providers, EU reference laboratories, R&D activities ‎of medicinal products, entities manufacturing basic pharmaceutical products and ‎preparations, as well as entities manufacturing medical devices considered to be ‎critical during a public health emergency;‎
  6. Suppliers and distributors of drinking water;‎
  7. Entities collecting, disposing of or treating urban, domestic or industrial waste ‎water;‎
  8. Digital infrastructure providers, such as internet exchange point providers, DNS ‎service providers, TLD name registries, as well as a wide variety of IT service ‎providers (cloud, data centres, content delivery networks, trust, public electronic ‎communications networks, and providers of publicly available electronic ‎communications services);‎
  9. B2B ICT managed service providers and managed security providers;‎
  10. Public administration entities of central governments; and
  11. Operators of ground-based infrastructure that is owned, managed and operated by ‎Member States or by private parties.‎

Other critical sectors include:‎

  1. Postal and courier services;‎
  2. Entities engaged in waste management;‎
  3. Undertakings carrying out the manufacture, production and distribution of certain ‎chemicals;‎
  4. ‎Food businesses that are engaged in wholesale distribution and industrial ‎production and processing;‎
  5. ‎Entities manufacturing certain
    1. medical devices and in vitro diagnostic medical devices;‎
    2. computer, electronic and optical products;‎
    3. electrical equipment;‎
    4. machinery and equipment n.e.c.;‎
    5. motor vehicles, trailers and semi-trailers;‎
    6. other transport equipment;‎
  6. Providers of online marketplaces, online search engines and social networking ‎services platforms; and
  7. Research organizations.‎

Member States have some discretion in identifying smaller entities that are also to be ‎considered within the scope of their updated national legal frameworks because of their ‎high security risk profile.‎

New obligations for entities in scope

Under the first NIS Directive, companies had to take appropriate and proportionate ‎technical, operational and organizational measures to manage their cybersecurity risks, in ‎view of preventing and minimizing the impact of potential incidents. Whilst this principle is ‎kept in the NIS2 Directive, the new framework clearly takes a risk management approach ‎and imposes more concrete, detailed security obligations upon entities that are within its ‎scope.‎

In particular, the NIS2 Directive provides a minimum list of required security measures, ‎including: ‎

  • incident reporting towards competent authorities, the content of these reports and ‎related timelines, this in view of facilitating the EU-wide exchange of information ‎and cooperation on crisis management;‎
  • supply chain security;‎
  • vulnerability handling and disclosure;‎
  • the use of cryptography and, where appropriate, encryption;‎
  • policies and procedures to assess the effectiveness of cybersecurity risk ‎management measures; as well as
  • cybersecurity hygiene and training.‎

In relation to incident reporting, affected entities must submit an early warning to the CSIRT ‎or competent national authority within 24 hours from when they first become aware of an ‎incident, and can ask them for guidance or operational advice on the implementation of ‎possible mitigation measures. The early warning should be followed by an incident ‎notification within 72 hours of becoming aware of such incident and a final report no later ‎than one month later.‎

Oversight and enforcement

To strengthen the supervision on the compliance of the entities within scope of NIS2, the ‎NIS2 Directive provides for a list of supervisory means through which competent authorities ‎may supervise essential and important entities, such as carrying out regular and targeted ‎audits, performing on-site and off-site checks, request information and access to documents ‎or evidence.‎

Generally speaking, compliance oversight will be organized at a national level, where ‎national authorities will supervise essential and important entities that are established in ‎their Member State. If such an entity is established in more than one Member State, ‎multiple national authorities will have jurisdiction. In such case, these authorities will be ‎required to cooperate, provide mutual assistance to each other and, as the case may be, ‎carry out supervisory actions in a coordinated way. Exceptions apply, however, for ‎providers of public electronic communications networks or publicly available electronic ‎communications services, public administration entities, as well as certain digital ‎infrastructure providers and B2B ICT service providers.‎

The NIS2 Directive introduces provides more stringent and far-reaching supervisory powers ‎to national authorities, which can take a wide variety of enforcement actions, such as ‎issuing binding instructions, orders to implement the recommendations of security audits, ‎or orders to bring security measures in line with the Directive’s requirements, and imposing ‎administrative fines. ‎

With respect to the latter, the NIS2 Directive distinguishes between: ‎

  • essential entities, where fines can amount to a maximum of at least €10,000,000 or ‎‎2% of the total worldwide annual turnover of the preceding financial year, ‎whichever is higher; and
  • important entities, these maximum amounts are lowered to at least € 7,000,000 or ‎at least 1,4% of the total worldwide annual turnover of the preceding financial year, ‎whichever is higher.‎

When imposing fines, national authorities should of course consider the particular ‎circumstances of each case, such as the nature, gravity and duration of the infringement, ‎the damage caused or losses incurred, as well as the intentional or negligent character of ‎the infringement.‎

In view of ensuring real accountability for cybersecurity measures taken by entities within ‎its scope, the NIS2 Directive also introduces liability provisions for natural persons holding ‎senior management positions.‎

Other initiatives

As the focus of the EU is clearly shifting towards more responsibility and accountability of ‎companies in in relevant sectors, it is essential that they adjust / update / upgrade their ‎compliance programs in view of meeting the requirements of the NIS2 Directive by the ‎October 17, 2024 deadline. ‎

As the NIS2 Directive is only one of the cornerstones of the EU’s plans to increase its security ‎efforts, these programs must also consider other general or sector-specific initiatives taken ‎at the European level, such as:

  • the Digital Operational Resilience Act (DORA), which aims to strengthen the IT ‎security of financial institutions such as banks, insurance companies and investment ‎firms by ensuring that they can continue to operate resiliently in the event of serious ‎operational disruptions;‎
  • the new CER Directive (EU) 2022/2557 of the European Parliament and of the ‎Council of 14 December 2022 on the resilience of critical entities; and
  • The EU Cybersecurity Act (Regulation (EU) 2019/881 of the European Parliament and ‎of the Council of 17 April 2019 on ENISA (the European Union Agency for ‎Cybersecurity) and on information and communications technology cybersecurity ‎certification and repealing Regulation (EU) No 526/2013).‎

Therefore, it is essential for entities in scope of NIS2 to take a holistic approach towards ‎cybersecurity and operational resilience, bearing in mind the key legislative principles on ‎the one hand, and provide for sufficient flexibility on the other hand to accommodate for ‎new requirements and initiatives. ‎