The NIS 2 Directive[1] (Directive 2022/2555) on measures for a high common level of cyber security across the EU has now entered into force.[2]

Member states must now incorporate the provisions into their national law by October 2024.

NIS 2 will replace its predecessor – NIS (Directive 2016/1148), which was the first cross-sector cyber security law in the EU.

NIS 2 has been necessary because the speed at which network and information systems have developed into a central feature of everyday life has led to greater interconnectedness, including in cross-border exchanges and, with this, has come an expansion of the cyber threat landscape. The number, magnitude, sophistication, frequency and impact of incidents are increasing, and can impede the pursuit of economic activities in the internal market, generating financial loss, undermining user confidence and causing major damage to the Union’s economy and society. Cyber security preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market; “adapted, coordinated and innovative responses” are required in all member states, says the EU. NIS was not implemented consistently across member states with, for example, some services being categorised as “essential” in some countries but not in others.

Moreover, the EU considers change is necessary for growth. Cyber security is a key enabler for many critical sectors to successfully embrace digital transformation and to fully grasp the economic, social and sustainable benefits of digitalisation.

The UK has confirmed that it will update the Security of Network & Information Systems Regulations 2018 (NIS Regulations) as they apply to the UK, following the EU’s adoption of NIS 2. The UK has a leadership role in cyber security across the world. It is ranked second in the ITU Global Cyber Security Index[3], in part due to the work of the National Cyber Security Centre, which has been lauded globally for responding to incidents quickly and putting previously classified information into the hands of industry so that companies can defend themselves more effectively. Countries like Canada and Australian have chosen to follow suit and adopt the NCSC model.

To harmonise cyber security requirements and implementation of cyber security measures in different member states the revised directive sets out minimum rules for a regulatory framework and lays down mechanisms for effective co-operation among relevant authorities in each member state. It updates the list of sectors and activities subject to cyber security obligations and provides for remedies and sanctions to ensure enforcement.

The new directive has been aligned with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER) to provide legal clarity and ensure coherence between NIS 2 and these.

NIS 2 will apply to public administrations at central and regional level. However, the text clarifies that the directive will not apply to entities carrying out activities such as defence, national security, public security and law enforcement, nor will it apply to the judiciary, parliament and central banks.

Key changes between NIS and NIS 2 are as follows:

  • NIS 2 catches a greater number of sectors that are critical for the economy and society. Annex 1 sets out sectors of high criticality and Annex II set out other critical sectors (see table).
  • The directive introduces a size-cap rule as a general rule for identification of regulated entities, meaning that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.
  • NIS 2 introduces governance and accountability obligations for management bodies in relation to cyber security. Member states have to ensure that the management bodies of essential and important entities approve the cyber security risk management measures taken by those entities in Article 21 (see below), oversee their implementation and can be held liable for infringements by the entities of that Article. This is consistent with the global trend to hold individuals to account for cyber security.
  • NIS 2 contains a list of basic technical and organisational measures in Article 21 which must be applied. These include incident handling, business continuity and crisis management measures as well as technical measures such as multi-factor authentication and cryptography, including encryption where appropriate.
  • NIS 2 broadens the extraterritorial effect already in place under NIS.
  • There is an increased emphasis on security of supply chains and supplier relationships.
  • NIS 2 also streamlines the reporting obligations in order to avoid causing over-reporting and creating an excessive burden on the entities covered. However, incidents having a significant impact on in-scope services will have to be reported to the relevant supervisory authorities within 24 hours at the latest – with an intermediate report following upon the request of the supervisory authority and a final report no later than one month after the initial notification. An incident is significant if it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned or has affected or is capable of affecting other natural or legal persons by causing material or non-material damage.

Directors and senior managers within businesses caught by NIS 2 should start preparing to meet the new requirements now. They will be expected to have a comprehensive suite of systems and controls in place to protect their operations. They won’t be able to reduce risk to zero but should be prepared to explain why decisions as to what to prioritise were made. It will also be important to ensure that they have full crisis response plans in place, know where to find them and practise them. Front loading some of the analysis helps reduce both the decision-making processing during any crisis and liability.

Operators of Essential Services (as defined in Annex II) Sectors of High Criticality (as defined in Annex I)
Energy Energy
Transport Transport
Banking Banking
Financial Market Infrastructures Financial Market Infrastructures
Health Health
Drinking water supply and distribution Drinking water
Digital infrastructure Digital infrastructure
Waste water
ICT service management (business to business)
Public administration
Other critical sectors (as defined in Annex II)
Postal and courier services
Waste management
Manufacture, production and distribution of chemicals
Production, processing and distribution of food
Digital Services (as defined in Annex III) Digital providers (caught under other critical sectors in Annex II)
Online marketplace Providers of online marketplaces
Online search engine Providers of online search engines
Cloud computing service Providers of social networking services platforms

Discover more about DORA:



[2] It entered into force on 16 January 2023

[3] International Telecommunication Union (ITU) Global Cyber Security Index 2020, which focuses upon governance (national strategies, incident response capabilities and legal measures to regulate cyber security).

Key contacts

Andrew Moir
Andrew Moir
Global Head of Cyber & Data Security, London
+44 20 7466 2773
Kate Macmillan
Kate Macmillan
Cyber Risk Advisory Lead (UK, US & EMEA), London
+44 20 7466 3737

Hywel Jenkins
Hywel Jenkins
Partner, London
+44 20 7466 2510
Cat Dankos
Cat Dankos
Consultant, London
+44 20 7466 7494