NIS2 Directive – the most important EU cybersecurity act finally adopted

The overall purpose of the NIS2 Directive is to further improve the resilience and incident response capacities of both the public and private sectors as well as the EU as a whole. It furthermore aims at reducing the regulatory burden for competent authorities and compliance costs for public and private entities. To this end, the NIS 2 Directive in particular

• Widens the scope of the rules covering as a general rule medium and large entities from more sectors that are critical for the economy and society to respond to the increased exposure of Europe to cyber threats;
• Provides legal clarity and ensures coherence between the NIS2 Directive and sector-specific legislation;
• Strengthens cybersecurity risk and incident management;
• Includes express governance requirements;
• Introduces more stringent supervisory measures for national authorities as well as stricter enforcement requirements;
• Aims at harmonising sanctions regimes across Member States; and
• Introduces accountability of top management for non-compliance with cybersecurity obligations.

Next steps

Once published in the Official Journal, the NIS2 Directive will enter into force 20 days after publication and Member States will then have 21 months to transpose the Directive into national law. In Germany, for example, following the IT Security Act 2.0, the legislator will have to deal with an IT Security Act 3.0.

For further information contact Feyo Sickinghe and Natallia Karniyevich