NIS2 Directive – the most important EU cybersecurity act finally adopted

Written By

feyo sickinghe Module
Feyo Sickinghe

Of Counsel
Netherlands

I am a Principal Regulatory Counsel in our Regulatory & Public Affairs practice in the Netherlands and Brussels. I have a focus on tech and comms and digital markets regulation, drawing on in-depth business knowledge and extensive experience in TMT and public administration.

natallia karniyevich module
Dr. Natallia Karniyevich

Associate
Germany

I am a seasoned attorney situated at the Bird & Bird Düsseldorf office, with a specialisation in cybersecurity and data protection law, and a co-head of the Bird & Bird International Cybersecurity Steering Group.

On 10 November 2022, the European Parliament approved the Directive on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”). This act will repeal the current directive on security of network and information systems (“NIS Directive”), amending the rules on the security of network and information systems and increasing the level of cyber resilience required of critical public and private sectors.

The overall purpose of the NIS2 Directive is to further improve the resilience and incident response capacities of both the public and private sectors as well as the EU as a whole. It furthermore aims at reducing the regulatory burden for competent authorities and compliance costs for public and private entities. To this end, the NIS 2 Directive in particular

  • Widens the scope of the rules covering as a general rule medium and large entities from more sectors that are critical for the economy and society to respond to the increased exposure of Europe to cyber threats;
  • Provides legal clarity and ensures coherence between the NIS2 Directive and sector-specific legislation;
  • Strengthens cybersecurity risk and incident management;
  • Includes express governance requirements;
  • Introduces more stringent supervisory measures for national authorities as well as stricter enforcement requirements;
  • Aims at harmonising sanctions regimes across Member States; and
  • Introduces accountability of top management for non-compliance with cybersecurity obligations.

Next steps

Once published in the Official Journal, the NIS2 Directive will enter into force 20 days after publication and Member States will then have 21 months to transpose the Directive into national law. In Germany, for example, following the IT Security Act 2.0, the legislator will have to deal with an IT Security Act 3.0.

For further information contact Feyo Sickinghe and Natallia Karniyevich

Latest insights

More Insights
Curiosity line yellow background

ASIC’s 2025 enforcement priorities – what’s on the corporate regulator’s mind?

Nov 21 2024

Read More
featured image

Bird & Bird marks World Children’s Day by announcing its forthcoming Global Comparative Guide to Children in the Digital World

7 minutes Nov 20 2024

Read More
featured image

Understanding the Impact of the Transposition of the CER Directive into Irish Law

5 minutes Nov 19 2024

Read More