On the 28th of November 2022, the Council adopted Directive (EU) 2022/2555, better known as the NIS 2 Directive, whose goal is to increase the overall level of cybersecurity across the European Union. The new directive replaces the original NIS I (Directive (EU) 2016/1148), due to it quickly becoming obsolete due to overall advancement of threats in cyberspace, as well as the expansion of the cyberspace itself. The new Directive takes over the positive experiences encountered through the drafting of the GDPR, with the end-goal of becoming more practical and easier to implement.
With the NIS 2, the overall approach to the scope of application was broadened, leading to a higher focus on “important“ and “essential“ entities, while simultaneously allowing Member States to impose self- registration obligation on them.
Further changes in comparison to NIS I include the change in incident reporting mechanism – the conditions as well as deadlines for reporting, increased minimum security measures, the changes in conformity assesment and an increased role of management. Finally, enforcement mechanism has also been improved, with an increase in administrative fees as well as other types of sanctions.
These changes promise to have a positive impact on the security of cyberspace as a whole.