NIS2 Cybersecurity Directive
European Union
2022
Cybersecurity
Overview
The NIS2 Directive (Directive (EU) 2022/2555) is the European Union’s enhanced cybersecurity law, adopted in 2022 to strengthen the security of network and information systems across critical sectors. It replaces the original NIS Directive and expands its scope, coverage, and enforcement powers.NIS2 applies to a broader set of essential and important entities across sectors such as banking, energy, healthcare, telecom, transportation, cloud services, public administration, and digital infrastructure. It sets baseline security standards and incident reporting obligations to improve the EU's collective cyber resilience.
Key Obligations
- Implement risk management and cybersecurity policies across networks and IT systems
- Report significant cyber incidents to the national CSIRT within 24 hours
- Conduct regular vulnerability assessments and use multi-factor authentication
- Appoint a cybersecurity officer and ensure board-level accountability
- Maintain business continuity and crisis management plans
Stay ahead of risk with Signzy
Explore tools that help you onboard, monitor, and verify with confidence
Related Regulations
FAQ
Who must comply with the NIS2 Directive?
Both essential and important entities operating in critical and digital sectors in EU member states are required to comply.
What are the penalties for non-compliance with NIS2?
Penalties can include administrative fines of up to €10 million or 2% of global annual turnover, whichever is higher.
How is incident reporting handled under NIS2?
Entities must submit an early warning within 24 hours, a full report within 72 hours, and a final report after incident resolution.
When does NIS2 take effect?
Member states must transpose the directive into national law by October 17, 2024, and enforcement will begin thereafter.