NIS-2 Directive
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS-2) is the successor to the first NIS Directive and has already entered into force at EU level.
The EU member states were obliged to transpose the requirements into national law by October 17, 2024 and have been applying them since October 18, 2024. NIS-2 introduces stricter security and reporting obligations for a significantly expanded group of sectors and companies (so-called “essential” and “important” facilities).
Key points are a risk-based approach with concrete minimum measures, stricter supervision, more uniform and potentially high sanctions, supply chain security requirements and explicit management responsibility for the implementation and monitoring of cybersecurity measures.
Relevant for: Admins (implementation of technical and organizational measures), DPOs (proof of compliance, processes for reporting obligations), management (overall responsibility, liability).