NIS2 - Network and Information Security Directive 2
What is it?
The NIS2 Directive – short for Network and Information Security Directive 2 – is a major piece of European Union legislation aimed at significantly strengthening cybersecurity across the EU. Officially titled Directive (EU) 2022/2555, it replaces the original NIS Directive (Directive 2016/1148) and came into effect on January 16, 2023, with EU Member States required to transpose it into national law by October 17, 2024.
Purpose and scope
NIS2 is designed to ensure a high common level of cybersecurity across the EU. It addresses the shortcomings of the original NIS Directive, which led to inconsistent cybersecurity standards and enforcement across Member States. NIS2 introduces more harmonised rules, broader sectoral coverage, and stricter obligations for both public and private entities.
The directive applies to a wide range of critical and important sectors, including:
- Energy
- Transport
- Banking and financial services
- Health
- Digital infrastructure
- Public administration
- Space and postal services
It also includes digital service providers such as cloud computing, data centres, and online marketplaces.
Key requirements:
Entities covered by NIS2 must implement a range of cybersecurity risk management and incident response measures, including:
- Robust cybersecurity policies
- Incident detection and reporting within 24 hours
- Business continuity and crisis management plans
- Supply chain security assessments
- Regular audits and vulnerability handling
Importantly, top management is held accountable for compliance, and failure to meet obligations can result in significant penalties, including fines and public disclosure of non-compliance.
Major changes from NIS1
Compared to the original NIS Directive, NIS2 introduces:
- Expanded scope: More sectors and types of entities are now covered.
- Stronger enforcement: National authorities have more power to supervise and penalise.
- Unified criteria: Clearer definitions of what constitutes a “critical” or “important” entity.
- Improved cooperation: Enhanced collaboration between EU Member States through the European Cyber Crises Liaison Organisation Network (EU-CyCLONe).
Implementation and challenges
Although the deadline for national implementation was October 2024, as of early 2025, many EU countries have yet to fully transpose NIS2 into national law, prompting the European Commission to initiate infringement proceedings.
Despite this, companies are expected to begin compliance preparations immediately, especially those operating across multiple jurisdictions.
Global impact
NIS2 is poised to become a global benchmark for cybersecurity regulation, much like the GDPR did for data privacy. Non-EU countries and multinational corporations are already looking to NIS2 as a model for their own cybersecurity frameworks.
Need help to understand the impact of NIS2?
Kyocera Cyber offers a comprehensive NIS2 consultancy service to ease the pain.