16 January 2023 – the NIS2 Directive came into force. Companies need to take care of the preparatory measures for compliance with NIS2 now.
18 October 2024 – Member States will apply the measures that they have adopted in the course of the implementation of the NIS2 Directive at local level.
The new 'NIS2 Directive' repeals the current Directive on security of network and information systems (NIS Directive), amending the rules on the security of network and information systems. The NIS2 Directive is part of a package of instruments and initiatives to further improve the resilience of public and private entities against cybersecurity threats. It sets rules to ensure protection and smooth uninterrupted functioning of services which are critical for the society. To this aim, it modernises the existing legal framework built on the NIS Directive, in particular expanding its scope as well as strengthening and streamlining security and reporting requirements. The act furthermore introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States.
The NIS2 Directive expands the scope of the current NIS Directive in two manners by the following:
The Act furthermore eliminates the distinction between operators of essential services and digital service providers. Entities are divided into essential and important entities, reflecting the level of criticality of the sector or of the type of services they provide, as well as their size.
By 17 October 2024, Member States will need to adopt and publish the measures necessary to comply with the NIS2 Directive. They will apply those measures from 18 October 2024.
Importantly, each Member State may extend the scope of the new cybersecurity rules and obligations. At Bird & Bird, we monitor the developments for all EU Member States and identify national add-ons. See our free NIS2 Directive Implementation Tracker.
*Information is accurate up to 22 April 2024