Cyber security legislative mechanisms – NIS 2

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity in the European Union must be transposed into national law by 17 October 2024.

The Directive, known as NIS 2, establishes a common regulatory framework in the field of cybersecurity with the aim of increasing the level of cybersecurity in the European Union, requiring member states to strengthen cybersecurity capabilities and introducing cybersecurity risk management and reporting measures in critical sectors, together with rules on cooperation, information sharing, supervision and law enforcement.

Cybersecurity refers to the activities necessary to protect networks and information systems, the users of such systems and other persons affected by cyber threats.

The Directive applies mainly to medium and large entities operating in sectors of high critical importance, such as:

• energy (electricity, including generation, distribution and transport systems and charging points; district heating and district cooling; oil, including production, storage and transport pipelines; gas, including supply, distribution and transport systems, and storage systems; and hydrogen)
• air, rail, sea and road transport
• the banking sector and financial market infrastructures, such as credit institutions, trading venue  operators and central counterparties
• health, including healthcare providers, manufacturers of key pharmaceuticals and essential medical devices, and EU reference laboratories
• digital infrastructure, including providers of data centre services, cloud computing services, public

electronic communications networks and publicly accessible electronic communications services

• business-to-business ICT service management
• public administration at central and regional level

Each member state must adopt a national strategy to achieve and maintain a high level of cybersecurity in critical sectors, such as:

• a governance framework clarifying the roles and responsibilities of relevant stakeholders at national level
• supply chain security policies
• vulnerability management policies
• policies on the promotion and development of cyber security education and training
• measures to improve citizens’ awareness of cyber security

Source: Directive (EU) 2022/2555 on measures for a high common level of cyber security in the Union