NIS2 Directive – the most important EU cybersecurity act finally adopted

Written By

feyo sickinghe Module
Feyo Sickinghe

Of Counsel
Netherlands

I am a Principal Regulatory Counsel in our Regulatory & Public Affairs practice in the Netherlands and Brussels. I have a focus on tech and comms and digital markets regulation, drawing on in-depth business knowledge and extensive experience in TMT and public administration.

natallia karniyevich module
Dr. Natallia Karniyevich

Associate
Germany

I am a seasoned attorney situated at the Bird & Bird Düsseldorf office, with a specialisation in cybersecurity and data protection law, and a co-head of the Bird & Bird International Cybersecurity Steering Group.

On 10 November 2022, the European Parliament approved the Directive on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”). This act will repeal the current directive on security of network and information systems (“NIS Directive”), amending the rules on the security of network and information systems and increasing the level of cyber resilience required of critical public and private sectors.

The overall purpose of the NIS2 Directive is to further improve the resilience and incident response capacities of both the public and private sectors as well as the EU as a whole. It furthermore aims at reducing the regulatory burden for competent authorities and compliance costs for public and private entities. To this end, the NIS 2 Directive in particular

  • Widens the scope of the rules covering as a general rule medium and large entities from more sectors that are critical for the economy and society to respond to the increased exposure of Europe to cyber threats;
  • Provides legal clarity and ensures coherence between the NIS2 Directive and sector-specific legislation;
  • Strengthens cybersecurity risk and incident management;
  • Includes express governance requirements;
  • Introduces more stringent supervisory measures for national authorities as well as stricter enforcement requirements;
  • Aims at harmonising sanctions regimes across Member States; and
  • Introduces accountability of top management for non-compliance with cybersecurity obligations.

Next steps

Once published in the Official Journal, the NIS2 Directive will enter into force 20 days after publication and Member States will then have 21 months to transpose the Directive into national law. In Germany, for example, following the IT Security Act 2.0, the legislator will have to deal with an IT Security Act 3.0.

For further information contact Feyo Sickinghe and Natallia Karniyevich

Latest insights

More Insights
featured image

How reality catches up with ideals: application of the EU Deforestation Regulation postponed until end of 2025

5 minutes Dec 04 2024

Read More
Tech AI robot

Key Areas of Focus in Legal Due Diligence for AI Companies in Germany: Assessing Risks and Ensuring Compliance

Dec 04 2024

Read More
featured image

Saudi Arabia: Qualified obligation on data controllers to register with Data Protection Authority

3 minutes Dec 03 2024

Read More