NIS2 Directive

NIS2 significantly expands the scope of the original NIS Directive to cover more sectors and entity types. It requires organizations to implement risk management measures, report significant incidents within 24 hours, secure their supply chains, and ensure management bodies are trained and accountable for cybersecurity.

The NIS2 Directive establishes a harmonized cybersecurity baseline across the EU. It covers ’essential entities’ (energy, transport, banking, health, digital infrastructure) and ‘important entities’ (postal services, waste management, manufacturing, digital providers). Organizations must implement appropriate technical and organizational measures, conduct regular risk assessments, have incident response plans, and ensure business continuity. Incident reporting has strict timelines: early warning within 24 hours, incident notification within 72 hours, and final report within one month. Management bodies must approve cybersecurity measures and can be held personally liable for non-compliance. Member states must establish CSIRTs and cooperate through the EU Cyber Crisis Liaison Organisation Network.