SECURITY
NIS2 Directive
SECURITY
NIS2 Directive
Origin
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union
General overview
The NIS2 Directive (NIS2) will repeal and replace the NIS Directive, which was the first piece of EU-wide legislation on cybersecurity. When implemented, NIS2 will create a more extensive and harmonised set of rules on cybersecurity for organisations carrying out their activities within the EU. In particular, entities subject to the directive will need to implement appropriate measures to manage the risks to the security of network and information systems which those entities use.
Under NIS2, the pool of in-scope entities will be widened. The concepts of “operator of essential service" (OES) and “digital service provider” (DSP) will be replaced by “essential entities" and “important entities". NIS2 also includes modified incident reporting obligations.
In addition to the sectors covered by the NIS Directive, NIS2 will cover organisations operating in the following sectors:
- digital infrastructure and digital providers
- waste water and waste management
- manufacturing of certain critical products (such as pharmaceuticals medical devices, or chemicals)
- food
- space
- postal and courier services
- public administration
Status
Published in the Official Journal of the EU on 27 December 2022
Member States must adopt & publish implementing measures by 17 October 2024 & apply those measures from 18 October 2024
Ireland proposes to transpose via National Cyber Security Bill (not yet published)
TO BE TRANSPOSED
BY 17 OCT 2024