EUR-Lex Access to European Union law
This document is an excerpt from the EUR-Lex website
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the EU
The directive, known as NIS2, sets out a common cybersecurity regulatory framework aiming to enhance the level of cybersecurity in the European Union (EU), requiring EU Member States to strengthen cybersecurity capabilities, and introducing cybersecurity risk-management measures and reporting in critical sectors, along with rules on cooperation, information sharing, supervision and enforcement.
Cybersecurity refers to the activities necessary to protect network and information systems, the users of such systems and other persons affected by cyber threats.
Critical sectors
The directive applies principally to medium-sized and large entities operating in the following sectors of high criticality as defined in Annex I.
It also applies to other critical sectors, as defined in Annex II:
National cybersecurity strategy
Every Member State must adopt a national strategy to achieve and maintain a high level of cybersecurity in the critical sectors, including:
Computer security incident response teams
Computer security incident response teams (CSIRTs) provide technical assistance to entities, including by:
CSIRTs network
The directive sets up a network of national CSIRTs to promote swift and effective operational cooperation.
Coordinated vulnerability disclosure
Member States must:
The European Union Agency for Cybersecurity (ENISA) shall develop and maintain a vulnerability database.
Cooperation group
The directive sets up a cooperation group to support and facilitate strategic cooperation and information exchange. It is composed of representatives of Member States, the European Commission and ENISA. Where appropriate, the cooperation group may invite the European Parliament and representatives of relevant stakeholders to participate in its work.
European cyber crisis liaison organisation network
The European cyber crisis liaison organisation network (EU-CyCLONe) is a network comprising representatives of Member State cyber crisis management authorities, as well as the Commission, in cases where a potential or ongoing large-scale cybersecurity incident has or is likely to have a significant impact on the sectors covered by the directive. In other cases, the Commission shall participate in the activities of the network as an observer. The network supports the coordinated management of large-scale cybersecurity incidents and crises at the operational level and ensures the regular exchange of information among Member States and EU institutions, bodies and agencies.
The network is tasked, among other things, with:
Reporting
Entities must notify their CSIRT or relevant authority of any incident that:
Furthermore, ENISA will produce, in cooperation with the Commission and the cooperation group, a biennial report on the state of cybersecurity in the EU which will also be submitted to the Parliament.
Supervision and enforcement
The directive provides for remedies and sanctions to ensure enforcement.
Peer reviews
Peer reviews are set up with a view to learning from shared experiences, strengthening mutual trust, achieving a high common level of cybersecurity, and enhancing Member States’ cybersecurity capabilities and policies necessary to implement this directive. These reviews entail physical or virtual on-site visits and off-site exchanges of information. Participation in these peer reviews is voluntary.
The directive has to be transposed into national law by 17 October 2024. The rules should apply from 18 October 2024.
The directive repeals Directive (EU) 2016/1148 (see summary) from 18 October 2024.
For further information, see:
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, pp. 80–152).
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, pp. 1–79).
Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (OJ L 333, 27.12.2022, pp. 164–198).
Regulation (EU) 2021/696 of the European Parliament and of the Council of 28 April 2021 establishing the Union Space Programme and the European Union Agency for the Space Programme and repealing Regulations (EU) No 912/2010, (EU) No 1285/2013 and (EU) No 377/2014 and Decision No 541/2014/EU (OJ L 170, 12.5.2021, pp. 69–148).
Regulation (EU) 2021/694 of the European Parliament and of the Council of 29 April 2021 establishing the Digital Europe Programme and repealing Decision (EU) 2015/2240 (OJ L 166, 11.5.2021, pp. 1–34).
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, pp. 15–69).
Commission Recommendation (EU) 2019/534 of 26 March 2019 – Cybersecurity of 5G networks (OJ L 88, 29.3.2019, pp. 42–47).
Council Implementing Decision (EU) 2018/1993 of 11 December 2018 on the EU Integrated Political Crisis Response Arrangements (OJ L 320, 17.12.2018, pp. 28–34).
Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast) (OJ L 321, 17.12.2018, pp. 36–214).
Successive amendments to Directive (EU) 2018/1972 have been incorporated in the original text. This consolidated version is of documentary value only.
Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, pp. 1–122).
See consolidated version.
Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, pp. 36–58).
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88).
See consolidated version.
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, pp. 73–114).
Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, pp. 924–947).
See consolidated version.
Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, pp. 8–14).
Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA (OJ L 335, 17.12.2011, pp. 1–14).
See consolidated version.
Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, pp. 72–84).
See consolidated version.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, pp. 37–47).
See consolidated version.
last update 06.02.2023