On 10 November 2022, the European Parliament approved the Directive on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”). This act will repeal the current directive on security of network and information systems (“NIS Directive”), amending the rules on the security of network and information systems and increasing the level of cyber resilience required of critical public and private sectors.

The overall purpose of the NIS2 Directive is to further improve the resilience and incident response capacities of both the public and private sectors as well as the EU as a whole. It furthermore aims at reducing the regulatory burden for competent authorities and compliance costs for public and private entities. To this end, the NIS 2 Directive in particular

  • Widens the scope of the rules covering as a general rule medium and large entities from more sectors that are critical for the economy and society to respond to the increased exposure of Europe to cyber threats;
  • Provides legal clarity and ensures coherence between the NIS2 Directive and sector-specific legislation;
  • Strengthens cybersecurity risk and incident management;
  • Includes express governance requirements;
  • Introduces more stringent supervisory measures for national authorities as well as stricter enforcement requirements;
  • Aims at harmonising sanctions regimes across Member States; and
  • Introduces accountability of top management for non-compliance with cybersecurity obligations.

Next steps

Once published in the Official Journal, the NIS2 Directive will enter into force 20 days after publication and Member States will then have 21 months to transpose the Directive into national law. In Germany, for example, following the IT Security Act 2.0, the legislator will have to deal with an IT Security Act 3.0.