Cybersecurity

NIS2 Directive

Latest Developments

16 January 2023 – the NIS2 Directive came into force. Companies need to take care of the preparatory measures for compliance with NIS2 now.

18 October 2024 – Member States will apply the measures that they have adopted in the course of the implementation of the NIS2 Directive at local level.

Summary

The new 'NIS2 Directive' repeals the current Directive on security of network and information systems (NIS Directive), amending the rules on the security of network and information systems. The NIS2 Directive is part of a package of instruments and initiatives to further improve the resilience of public and private entities against cybersecurity threats. It sets rules to ensure protection and smooth uninterrupted functioning of services which are critical for the society. To this aim, it modernises the existing legal framework built on the NIS Directive, in particular expanding its scope as well as strengthening and streamlining security and reporting requirements. The act furthermore introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States.

How could it be relevant for you?

The NIS2 Directive expands the scope of the current NIS Directive in two manners by the following:

  • Adding new sectors, including inter alia data centre service providers, providers of social networking services platforms and certain groups of manufacturers, selected based on how crucial they are for the economy and society, and
  • Introducing a clear company size threshold which, if met or exceeded, assumes that companies of certain sectors are critical and thereby in scope, meaning that all medium and large companies in selected sectors (see Annex I (Sectors of High Criticality) and Annex II (Other Critical Sectors)) will be included in the scope. At the same time, certain further entities with a high security risk profile and regardless of their size (e.g., trust service providers and top-level domain name registries as well as DNS service providers), including those identified by Member States as essential entities, will be subject to the new regime.

The Act furthermore eliminates the distinction between operators of essential services and digital service providers. Entities are divided into essential and important entities, reflecting the level of criticality of the sector or of the type of services they provide, as well as their size.

Annex I – Sectors of High Criticality

  • Energy
  • Transport
  • Banking
  • Financial market infrastructures
  • Health
  • Drinking water
  • Waste water
  • Digital infrastructure
    • Internet Exchange Point providers
    • DNS service providers, excluding operators of root name servers
    • TLD name registries
    • Cloud computing service providers
    • Data centre service providers
    • Content delivery network providers
    • Trust service providers
    • Providers of public electronic communications networks or providers of electronic communications services
  • ICT-service management (B2B)
    • Managed service providers (MSP)
    • Managed security service providers (MSSP)
  • Public administration entities (excluding the judiciary, parliaments and central banks) and
  • Space

Annex II – Other Critical Sectors

  • Postal and courier services
  • Waste management
  • Manufacture, production and distribution of chemicals
  • Food production, processing and distribution
  • Manufacturing
    • Manufacture of medical devices and in vitro diagnostic medical devices
    • Manufacture of computer, electronic and optical products
    • Manufacture of electrical equipment
    • Manufacture of machinery and equipment n.e.c.
    • Manufacture of motor vehicles, trailers and semi-trailers
    • Manufacture of other transport equipment
  • Digital providers
    • Providers of online marketplaces
    • Providers of online search engines
    • Providers of social networking services platform
  • Research

Next steps:

By 17 October 2024, Member States will need to adopt and publish the measures necessary to comply with the NIS2 Directive. They will apply those measures from 18 October 2024.

Importantly, each Member State may extend the scope of the new cybersecurity rules and obligations. At Bird & Bird, we monitor the developments for all EU Member States and identify national add-ons. See our free NIS2 Directive Implementation Tracker.

*Information is accurate up to 22 April 2024

 

Explore other chapters in the guide

Data as a key digital asset

Crypto assets

AI as a digital asset

Privacy & Data Protection

Cybersecurity

Digital Identity and Trust Services

Consumer