The NIS 2 Directive will ensure a safer and stronger Europe by significantly expanding the sectors and type of critical entities falling under its scope. These include providers of public electronic communications networks and services, data centre services, wastewater and waste management, manufacturing of critical products, postal and courier services and public administration entities, as well as the healthcare sector more broadly.
Furthermore, it will strengthen the cybersecurity risk management requirements that companies are obliged to comply with, as well as streamline incident reporting obligations with more precise provisions on reporting, content and timeline.
Read more: EU Agrees New Cybersecurity Legislation
The NIS2 Directive replaces the rules on the security of network and information systems, the first EU-wide legislation on cybersecurity.
Against an ever more complex risk landscape, the new CER Directive replaces the European Critical Infrastructure Directive of 2008. The new rules will strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage.
11 sectors will be covered: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food. Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy.
Member States have 21 months to transpose both Directives into national law. During this time, Member States shall adopt and publish the measures necessary to comply with them.
In December 2022, the Council has adopted a recommendation on a Union-wide coordination approach to strengthen the resilience of critical infrastructure where Member States are invited to accelerate preparatory work for the transposition and application of NIS 2 and of the Directive on the resilience of critical entities (CER).