In response to the increased threat of cyberattacks and the associated need to increase defenses (including technical defenses) against such incidents, the Council of the European Union and the European Parliament adopted the “NIS 2 Directive”) in December 2022.

NIS2 stands for “Network and Information Security Directive” and is a continuation and expansion of the previous EU cybersecurity directive, NIS1.

The EU cybersecurity rules first introduced in 2016 were updated by the NIS2 Directive that came into force in 2023. The NIS2 Directive modernised the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape. By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.

https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

The aim of NIS2 is to strengthen the collective cybersecurity level of EU member states by increasing cybersecurity enforcement requirements for critical infrastructure sectors.

The NIS2 directive regulates companies and government agencies in the area of cybersecurity. It provides for revised and broader IT security requirements in all EU member states. One of the most important purposes of this IT security legislation in the EU is to contribute “to the effective functioning of its economy and society”

https://eur-lex.europa.eu/eli/dir/2022/2555

The NIS 2 Directive is generally applicable to any entity in the sectors listed in the following paragraphs that, according to the terminology of European law, are classified at least as medium-sized enterprises. This is generally the case if the entity has at least 50 employees or achieves an annual turnover or an annual balance sheet total of more than EUR 10 million. Exemptions exist but expanding them is beyond the scope of this article.

Areas of Coverage – Essential Entities

Energy, Transport, Finance, Health, Water, Digital Infrastructure, Public Adminstration, Space

Areas of Coverage – Important Entities

Postal Services, Waste Management, Chemical Products, Food, Production of Pharmaceutical, Electronic
and Optical Equipment and Machinery, Digital Providers, Research

The directive should manifest as national law for all Member States, which means that Member States will have to pass national legislation aligning with the NIS2 directive by October 17, 2024.