NIS 2 Directive training

The NIS 2 Directive


13 May 2022 - Strengthening EU-wide cybersecurity and resilience – provisional agreement by the Council and the European Parliament

The Council and the European Parliament agreed on measures for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.

Once adopted, the new directive, called ‘NIS2’, will replace the current directive on security of network and information systems (the NIS directive).

Stronger risk and incident management and cooperation

NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure.

The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.

The directive will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.

Widening of the scope of the rules

While under the old NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 directive introduces a size-cap rule. This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.

While the agreement between the European Parliament and the Council maintains this general rule, the provisionally agreed text includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for determining the entities covered.

The text also clarifies that the directive will not apply to entities carrying out activities in areas such as defence or national security, public security, law enforcement and the judiciary. Parliaments and central banks are also excluded from the scope.

As public administrations are also often targets of cyberattacks, NIS2 will apply to public administration entities at central and regional level. In addition, member states may decide that it applies to such entities at local level too.

Other changes introduced by the co-legislators

The European Parliament and the Council have aligned the text with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts.

A voluntary peer-learning mechanism will increase mutual trust and learning from good practices and experiences, thereby contributing to achieving a high common level of cybersecurity.

The two co-legislators have also streamlined the reporting obligations in order to avoid causing over-reporting and creating an excessive burden on the entities covered.

Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.

Next steps

The provisional agreement concluded today is now subject to approval by the Council and the European Parliament.

On the Council’s side, the French presidency intends to submit the agreement to the Council’s Permanent Representatives Committee for approval soon.


A revised Directive on Security of Network and Information Systems (NIS 2 Directive).

16.12.2020 - The European Commission adopted a proposal for a revised Directive on Security of Network and Information Systems (NIS 2 Directive).

In spite of its notable achievements, the Directive on the security of network and information systems (NIS Directive), has by now also proven its limitations. The digital transformation of society (intensified by the COVID-19 crisis) has expanded the threat landscape and is bringing about new challenges, which require adapted and innovative responses.

Now any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the whole internal market.

To address these challenges, as announced in the Communication on Shaping Europe’s Digital Future, the Commission accelerated the Directive’s review to the end of 2020, carried out an impact assessment and presented a new legislative proposal.

This proposal is part of a package of measures to improve further the resilience and incident response capacities of public and private entities, competent authorities and the Union as a whole in the field of cybersecurity and critical infrastructure protection. It is in line with the Commission’s priorities to make Europe fit for the digital age and to build a future-ready economy that works for the people.

Cybersecurity is a priority in the Commission’s response to the COVID-19 crisis. The package includes a new Strategy on Cybersecurity with the aim of strengthening the Union’s strategic autonomy to improve its resilience and collective response and to build an open and global internet. Finally, the package contains a proposal for a directive on the resilience of critical operators of essential services, which aims to mitigate physical threats against such operators.

This proposal builds on and repeals Directive (EU) 2016/1148 on security of network and information systems (NIS Directive), which is the first piece of EU-wide legislation on cybersecurity and provides legal measures to boost the overall level of cybersecurity in the Union. The NIS Directive has:

(1) contributed to improving cybersecurity capabilities at national level by requiring Member States to adopt national cybersecurity strategies and to appoint cybersecurity authorities;

(2) increased cooperation between Member States at Union level by setting up various fora facilitating the exchange of strategic and operational information; and

(3) improved the cyber resilience of public and private entities in seven specific sectors (energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and distribution, and digital infrastructures) and across three digital services (online marketplaces, online search engines and cloud computing services) by requiring Member States to ensure that operators of essential services and digital service providers put in place cybersecurity requirements and report incidents.

The proposal modernises the existing legal framework taking account of the increased digitisation of the internal market in recent years and an evolving cybersecurity threat landscape. Both developments have been further amplified since the onset of the COVID-19 crisis. The proposal also addresses several weaknesses that prevented the NIS Directive from unlocking its full potential.

Notwithstanding its notable achievements, the NIS Directive, which paved the way for a significant change in mind-set, in relation to the institutional and regulatory approach to cybersecurity in many Member States, has also proven its limitations. The digital transformation of society (intensified by the COVID-19 crisis) has expanded the threat landscape and is bringing about new challenges which require adapted and innovative responses. The number of cyber -attacks continues to rise, with increasingly sophisticated attacks coming from a wide range of sources inside and outside the EU.

The evaluation on the functioning of the NIS Directive, conducted for the purposes of the Impact Assessment, identified the following issues:

(1) the low level of cyber resilience of businesses operating in the EU;

(2) the inconsistent resilience across Member States and sectors; and

(3) the low level of joint situational awareness and lack of joint crisis response. For example, certain major hospitals in a Member State do not fall within the scope of the NIS Directive and hence are not required to implement the resulting security measures, while in another Member State almost every single healthcare provider in the country is covered by the NIS security requirements.

Being an initiative within the Regulatory Fitness Programme (REFIT), the proposal aims at reducing the regulatory burden for competent authorities and compliance costs for public and private entities. Most notably, this is achieved by abolishing the obligation of competent authorities to identify operators of essential services and by increasing the level of harmonisation of security and reporting requirements to facilitate regulatory compliance for entities providing cross-border services. At the same time, competent authorities will also be given a number of new tasks, including the supervision of entities in sectors so far not covered by the NIS Directive.

16.12.2020 - The Proposal for a directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148

16.12.2020 - Annexes to the Proposal for a directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148

The NIS 2 Directive, European Parliament, A high common level of cybersecurity in the EU


European Council - Strengthening EU-wide cybersecurity and resilience.

NIS 2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure.

The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.

The directive will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.

While under the old NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 directive introduces a size-cap rule. This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.

While the Council’s position maintains this general rule, it includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for determining the entities covered.

The Council text also clarifies that the directive will not apply to entities carrying out activities in areas such as defence or national security, public security, law enforcement and the judiciary. Parliaments and central banks are also excluded from the scope.

As public administrations are also often targets of cyberattacks, NIS2 will apply to public administration entities of central governments. In addition, member states may decide that it applies to such entities at regional and local level too.


The first NIS directive, main elements.

The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU, in order to contribute to the overall functioning of the internal market. It is based on 3 main pillars:

1. In order to achieve a high level of preparedness of Member States, the NIS Directive requires Member States to adopt a national strategy on the security of network and information systems. Member States are also required to designate national Computer Security Incident Response Teams (CSIRTs), who are responsible for risk and incident handling, a competent national NIS authority, and a single point of contact (SPOC). The SPOC has to exercise a liaison function to ensure cross-border cooperation between the Member State authorities with the relevant authorities in other Member States and with the NIS Cooperation Group.

2. The NIS Directive establishes the NIS Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States, and the CSIRTs Network, which promotes swift and effective operational cooperation between national CSIRTs.

3. The NIS Directive ensures that cybersecurity measures are taken across seven sectors, which are vital for our economy and society and which rely heavily on ICT, such as energy, transport, banking, financial market infrastructures, drinking water, healthcare and digital infrastructure.

Public and private entities identified by the Member States as operators of essential services (OES) in these sectors are required to undertake a cybersecurity risk assessment and put in place appropriate and proportionate security measures. They are required to notify serious incidents to the relevant authorities. And, providers of key digital services (digital service providers or DSPs), such as search engines, cloud computing services and online marketplaces, have to comply with the security and notification requirements under the Directive. At the same time, the latter are subject to a so-called ‘light-touch’ regulatory regime, which entails, among other measures, that they are under the jurisdiction of one Member State for the whole EU and are not subjected to ex-ante supervisory measures.


The new NIS 2 directive, main elements.

The new Commission proposal aims to address the deficiencies of the previous NIS Directive, to adapt it to the current needs and make it future-proof.

To this end, the Commission proposal expands the scope of the current NIS Directive by adding new sectors based on their how crucial they are for the economy and society, and by introducing a clear size cap — meaning that all medium and large companies in selected sectors will be included in the scope. At the same time, it leaves some flexibility for Member States to identify smaller entities with a high security risk profile.

The proposal also eliminates the distinction between operators of essential services and digital service providers. Entities would be classified based on their importance, and divided into essential and important categories, which will be subjected to different supervisory regimes.

The proposal strengthens and streamlines security and reporting requirements for companies by imposing a risk management approach, which provides a minimum list of basic security elements that have to be applied. The proposal introduces more precise provisions on the process for incident reporting, content of the reports and timelines.

Furthermore, the Commission proposes to address security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in supply chains and supplier relationships. At European level, the proposal strengthens supply chain cybersecurity for key information and communication technologies. Member States in cooperation with the Commission and ENISA, may carry out coordinated risk assessments of critical supply chains, building on the successful approach taken in the context of the Commission Recommendation on Cybersecurity of 5G networks.

The proposal introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States.

The proposal also enhances the role of the Cooperation Group in shaping strategic policy decisions and increases information sharing and cooperation between Member State authorities. It also enhances operational cooperation including on cyber crisis management.

The Commission proposal also establishes a basic framework with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and creates EU registry in this area, operated by the EU agency for cybersecurity (ENISA).


The NIS 2 Directive, news and alerts

This website belongs to Cyber Risk GmbH (established in Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341). We are carefully monitoring the new legal and regulatory obligations that follow the amendments of the NIS Directive. We learn the requirements for EU and non-EU firms and entities, update our training programs accordingly, and inform our clients and recipients of our monthly newsletter. For news and developments about the NIS 2 Directive, you can receive our monthly newsletter at no cost (you may visit Cyber Risk GmbH, Reading Room, links at the top of the page). You may also visit this web site.