The NIS 2 Directive (Directive 2022/2555) on measures for a high common level of cyber security across the EU has now entered into force.
Member states must now incorporate the provisions into their national law by October 2024
. NIS 2 will replace its predecessor – NIS (Directive 2016/1148), which was the first cross-sector cyber security law in the EU.
NIS 2 has been necessary because the speed at which network and information systems have developed into a central feature of everyday life has led to greater interconnectedness, including in cross-border exchanges and, with this, has come an expansion of the cyber threat landscape. The number, magnitude, sophistication, frequency and impact of incidents are increasing, and can impede the pursuit of economic activities in the internal market, generating financial loss, undermining user confidence and causing major damage to the Union’s economy and society. Cyber security preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market; "adapted, coordinated and innovative responses" are required in all member states, says the EU. NIS was not implemented consistently across member states with, for example, some services being categorised as "essential" in some countries but not in others. Read more