4637829

Language
- My EUR-Lex
- Sign in
- Register
- My recent searches (0)

This document is an excerpt from the EUR-Lex website

Search tips

Need more search options? Use the Advanced search

EUROPA
EUR-Lex home
Summaries of EU legislation
Justice, freedom and security
Cybersecurity of network and information systems (2022)

Summaries of EU Legislation

Help

Cybersecurity of network and information systems (2022)

SUMMARY OF:

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the EU

WHAT IS THE AIM OF THE DIRECTIVE?

The directive, known as NIS2, sets out a common cybersecurity regulatory framework aiming to enhance the level of cybersecurity in the European Union (EU), requiring EU Member States to strengthen cybersecurity capabilities, and introducing cybersecurity risk-management measures and reporting in critical sectors, along with rules on cooperation, information sharing, supervision and enforcement.

KEY POINTS

Cybersecurity refers to the activities necessary to protect network and information systems, the users of such systems and other persons affected by cyber threats.

Critical sectors

The directive applies principally to medium-sized and large entities operating in the following sectors of high criticality as defined in Annex I.

Energy:
- electricity, including production, distribution and transmission systems and charging points;
- district heating and cooling;
- oil, including production, storage and transmission pipelines;
- gas, including supply, distribution and transmission systems and storage; and
- hydrogen.
Transport by air, rail, water and road.
Banking and financial market infrastructures such as credit institutions, operators of trading venues and central counterparties.
Health, including healthcare providers, manufacturers of basic pharmaceutical products and critical medical devices, and EU reference laboratories.
Drinking water.
Waste water.
Digital infrastructure, including providers of data centre services, cloud computing services, public electronic communications networks and publicly available electronic communications services.
ICT managed services (business-to-business).
Space.
Public administration at the central and regional level, excluding judiciary, parliaments, and central banks. However, it does not apply to public administration entities that carry out activities in the areas of national security, public security, defence or law enforcement.

It also applies to other critical sectors, as defined in Annex II:

postal and courier services;
waste management;
chemical manufacturing, production and distribution;
food production, processing and distribution;
manufacturing, specifically medical devices, computer, electronic and optical products, certain electrical equipment and machinery, motor vehicles and other transport equipment;
digital providers of online marketplaces, search engines and social networks; and
research organisations.

National cybersecurity strategy

Every Member State must adopt a national strategy to achieve and maintain a high level of cybersecurity in the critical sectors, including:

a governance framework clarifying the roles and responsibilities for relevant stakeholders at the national level;
policy addressing the security of supply chains;
policy on managing vulnerabilities;
policy on promoting and developing education and training on cybersecurity; and
measures to improve cybersecurity awareness among citizens.

Computer security incident response teams

Computer security incident response teams (CSIRTs) provide technical assistance to entities, including by:

monitoring and analysing cyber threats, vulnerabilities, and incidents at the national level;
providing early warnings, alerts, announcements and information to the entities concerned and to other stakeholders on cyber threats, vulnerabilities and incidents, if possible in near-real time;
responding to incidents and providing assistance where applicable;
collecting and analysing forensic data and providing dynamic risk and incident analysis and situational awareness on cybersecurity; and
providing, on request, proactive network and information system scanning to detect vulnerabilities with a potential significant impact.

CSIRTs network

The directive sets up a network of national CSIRTs to promote swift and effective operational cooperation.

Coordinated vulnerability disclosure

Member States must:

designate one of their CSIRTs to coordinate the disclosure of vulnerabilities discovered in ICT products or services; and
ensure that people in the Member States are able to report vulnerabilities, anonymously if requested.

The European Union Agency for Cybersecurity (ENISA) shall develop and maintain a vulnerability database.

Cooperation group

The directive sets up a cooperation group to support and facilitate strategic cooperation and information exchange. It is composed of representatives of Member States, the European Commission and ENISA. Where appropriate, the cooperation group may invite the European Parliament and representatives of relevant stakeholders to participate in its work.

European cyber crisis liaison organisation network

The European cyber crisis liaison organisation network (EU-CyCLONe) is a network comprising representatives of Member State cyber crisis management authorities, as well as the Commission, in cases where a potential or ongoing large-scale cybersecurity incident has or is likely to have a significant impact on the sectors covered by the directive. In other cases, the Commission shall participate in the activities of the network as an observer. The network supports the coordinated management of large-scale cybersecurity incidents and crises at the operational level and ensures the regular exchange of information among Member States and EU institutions, bodies and agencies.

The network is tasked, among other things, with:

coordinating the management of large-scale cybersecurity incidents and crises and supporting decision-making at the political level;
increasing preparedness;
developing a shared situational awareness; and
assessing the consequences and impact of large-scale cybersecurity incidents and crises and proposing possible mitigation measures.

Reporting

Entities must notify their CSIRT or relevant authority of any incident that:

can cause or is capable of causing severe operational disruption or financial loss for the entity;
it has affected or could affect others by causing considerable material or non-material damage.

Furthermore, ENISA will produce, in cooperation with the Commission and the cooperation group, a biennial report on the state of cybersecurity in the EU which will also be submitted to the Parliament.

Supervision and enforcement

The directive provides for remedies and sanctions to ensure enforcement.

Peer reviews

Peer reviews are set up with a view to learning from shared experiences, strengthening mutual trust, achieving a high common level of cybersecurity, and enhancing Member States’ cybersecurity capabilities and policies necessary to implement this directive. These reviews entail physical or virtual on-site visits and off-site exchanges of information. Participation in these peer reviews is voluntary.

FROM WHEN DO THE RULES APPLY?

The directive has to be transposed into national law by 17 October 2024. The rules should apply from 18 October 2024.

BACKGROUND

The directive repeals Directive (EU) 2016/1148 (see summary) from 18 October 2024.

For further information, see:

Cybersecurity (European Commission)
Cybersecurity: How the EU tackles cyber threats (European Council, Council of the European Union)
How the EU responds to crises and builds resilience (European Council, Council of the European Union)
A digital future for Europe (European Council, Council of the European Union).

MAIN DOCUMENT

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, pp. 80–152).

RELATED DOCUMENTS

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, pp. 1–79).

Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (OJ L 333, 27.12.2022, pp. 164–198).

Regulation (EU) 2021/696 of the European Parliament and of the Council of 28 April 2021 establishing the Union Space Programme and the European Union Agency for the Space Programme and repealing Regulations (EU) No 912/2010, (EU) No 1285/2013 and (EU) No 377/2014 and Decision No 541/2014/EU (OJ L 170, 12.5.2021, pp. 69–148).

Regulation (EU) 2021/694 of the European Parliament and of the Council of 29 April 2021 establishing the Digital Europe Programme and repealing Decision (EU) 2015/2240 (OJ L 166, 11.5.2021, pp. 1–34).

Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, pp. 15–69).

Commission Recommendation (EU) 2019/534 of 26 March 2019 – Cybersecurity of 5G networks (OJ L 88, 29.3.2019, pp. 42–47).

Council Implementing Decision (EU) 2018/1993 of 11 December 2018 on the EU Integrated Political Crisis Response Arrangements (OJ L 320, 17.12.2018, pp. 28–34).

Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast) (OJ L 321, 17.12.2018, pp. 36–214).

Successive amendments to Directive (EU) 2018/1972 have been incorporated in the original text. This consolidated version is of documentary value only.

Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, pp. 1–122).

See consolidated version.

Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, pp. 36–58).

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88).

See consolidated version.

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, pp. 73–114).

Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, pp. 924–947).

See consolidated version.

Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, pp. 8–14).

Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA (OJ L 335, 17.12.2011, pp. 1–14).

See consolidated version.

Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, pp. 72–84).

See consolidated version.

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, pp. 37–47).

See consolidated version.

last update 06.02.2023

Top