NIS 2 Directive
About the NIS 2 Directive
Full name: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
Type: Directive
Objective and key elements:
- Enhance preparedness for the Member States (such as forming and cooperating among other Member states through a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority and EU-wide Cooperation Group.
- Requirements to form a culture of security across sectors that are vital for EU economy and society and that rely heavily on ICTs, such as:
- energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
- Operators of essential services (as appointed) in the above sectors will be obliged to take appropriate security measures and notify relevant national authorities of serious incidents.
- Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under NIS 2.
Relevant to: Operators of essential services, as well as key digital service providers.
Status: In force since 16 January 2023, to be implemented by the Member States by 17 October 2024.
Swedish implementation: Please see the Swedish report with the proposal for implementation here. Still awaiting the final proposal.
Related legislation (CER-directive): Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (CER-directive). Please see this link to get to the Swedish final report regarding the implementation of the CER-directive (published on 18 September 2024.
(Last updated 18 September 2024)