Measures for a high common level of cybersecurity across the Union (NIS2)

Purpose: The purpose of NIS2 is to ensure a high, common level of cybersecurity across the European Union. Aimed at addressing the somewhat fragmented implementation of the NIS1 Directive, NIS2 seeks to increase the cyber resilience of EU Member States by implementing uniform requirements.

Scope: NIS2 applies to service providers across a wide range of sectors, determined by the size of the providers and the industries in which they operate. Entities are classified as either «essential» or «important» based on their size, industry, and level of criticality. This classification primarily affects the level of sanctions and supervision they face. The cybersecurity risk management measures required by NIS2 apply uniformly, regardless of an entity’s classification.

Core obligations: A key component of NIS2 is the implementation of mechanisms to ensure the security and resilience of network and information systems used for service delivery in critical sectors. It requires entities to implement adequate technical, operational, and organizational measures to manage and mitigate risks associated with their network and information systems. Additionally, NIS2 outlines reporting obligations, the responsibilities of management bodies, and introduces strengthened enforcement mechanisms.