NIS 2 Directive
EU Directive 2022/2555 strengthening cybersecurity requirements for essential and important entities across the European Union.
The NIS 2 Directive (Network and Information Security Directive 2) is the EU's central legislative instrument for raising the baseline level of cybersecurity across member states. It replaces and significantly expands the original NIS Directive from 2016, broadening the scope of affected sectors and introducing more stringent security and reporting obligations.
NIS 2 distinguishes between "essential entities" and "important entities", covering sectors such as energy, transport, health, digital infrastructure, public administration, and manufacturing. Organizations falling under the directive must implement comprehensive risk management measures, including technical controls, supply chain security, incident response procedures, and business continuity planning.
A key feature of NIS 2 is its emphasis on management accountability: senior leadership can be held personally liable for non-compliance. Member states were required to transpose the directive into national law by October 2024. In Germany, implementation is underway through the NIS2UmsuCG (NIS2 Implementation and Cybersecurity Strengthening Act).
Legal Basis
EU Directive 2022/2555 (NIS 2); NIS2UmsuCG (Germany)
Practical Example
A mid-sized logistics company operates critical transport infrastructure and therefore qualifies as an "important entity" under NIS 2. It must implement a risk management framework, introduce multi-factor authentication across all critical systems, establish an incident response process, and register with the relevant national authority. The CEO is briefed on these obligations and formally approves the company's information security policy.