Directive 2022/2555 of the European Parliament and of the Council, known as NIS2, establishes a new regulatory framework on cybersecurity for all Member States of the European Union (EU). This regulation aims primarily to improve the resilience and security of critical infrastructures and digital services across the region. The directive updates and replaces the previous NIS1 Directive (2016/1148) to ensure a more robust common level of cybersecurity in Europe.

NIS2 entered into force in January 2023, and Member States have until October 17th 2024 to implement it. From October 18th 2024, the provisions of NIS2 will be applicable throughout the EU. This directive introduces new obligations regarding risk management, incident reporting, monitoring and enforcement for Member States and affected entities.

Scope and obligations

The NIS2 Directive applies to a wide range of entities in both the public and private sectors. It includes those operating in sectors considered critical, such as energy, transport or healthcare, and highly critical sectors, such as electronic communications services, DNS service providers or domain name registries. In particular, it affects medium and large companies, but also entities whose service interruption could have a significant impact on public safety, public order or public health, regardless of their size.

The main obligations established by the directive include the implementation of technical, operational and organisational measures to manage cybersecurity risks. In addition, entities must report major incidents and share relevant information to prevent and mitigate future risks.

In short, NIS2 seeks to strengthen cybersecurity at a European level through a coordinated approach and common regulations. With its entry into force in 2024, all entities within its scope are expected to adapt to improve the security and resilience of essential infrastructures and services.

More information: https://www.ccn.cni.es/en/regulations/nis2-directive