EU law reading tool
NIS 2 Directive — Directive (EU) 2022/2555
LegalViz.EU is a reading tool for EU legislation. Use this page to browse NIS 2 Directive — Directive (EU) 2022/2555 by article, recital, and annex, then open the full interactive viewer for cross-references, side-by-side reading, and printing.
Overview
This Directive aims to achieve a high common level of cybersecurity across the Union to improve the functioning of the internal market. It repeals and replaces the previous NIS Directive (EU) 2016/1148, extending its scope to cover more sectors and services vital to the economy and society. (Art. 1 Art. 44)
The Directive applies to medium-sized and large public and private entities in specific sectors listed in Annexes I (highly critical sectors) and II (other critical sectors). Regardless of size, it also applies to entities like providers of public electronic communications networks, trust service providers, TLD name registries, DNS service providers, critical entities under Directive (EU) 2022/2557, and certain public administration entities. It does not apply to entities whose activities are predominantly in national security, public security, defence, or law enforcement. (Art. 2 Art. 3)
Key points
- Member States must adopt and publish national measures to comply with this Directive by 17 October 2024, and apply them from 18 October 2024. (Art. 41)
- Member States must ensure that essential and important entities take appropriate technical, operational, and organisational measures to manage cybersecurity risks. These measures must address areas such as incident handling, business continuity, supply chain security, and the use of cryptography. (Art. 21)
- Member States must ensure that essential and important entities notify their national Computer Security Incident Response Team (CSIRT) or competent authority of any significant incident without undue delay. An early warning is required within 24 hours, followed by a more detailed notification within 72 hours. (Art. 23)
- Member States must establish a list of essential and important entities by 17 April 2025 and update it at least every two years. They must require these entities to submit identifying information to the competent authorities. (Art. 3)
- Member States must designate or establish competent authorities for cybersecurity, a single point of contact for cross-border cooperation, and one or more CSIRTs with defined technical capabilities and tasks. (Art. 8 Art. 10 Art. 11)
- Member States must ensure that management bodies of essential and important entities approve and oversee their cybersecurity risk-management measures and can be held liable for infringements. Members of these bodies must follow cybersecurity training. (Art. 20)
- Member States must establish rules for administrative fines for infringements of cybersecurity risk-management and reporting obligations. For essential entities, fines shall be a maximum of at least €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. For important entities, the maximum is at least €7,000,000 or 1.4% of turnover. (Art. 34)
Structure
The Directive begins with General Provisions (Chapter I) defining its subject matter, scope, and key terms. Chapter II outlines Coordinated Cybersecurity Frameworks, requiring Member States to have national strategies, competent authorities, and CSIRTs. Chapter III details cooperation mechanisms at the Union level, such as the Cooperation Group and CSIRTs network. Chapter IV sets out Cybersecurity Risk-Management Measures and Reporting Obligations for entities. Chapter V covers Jurisdiction and Registration. Subsequent chapters address Information Sharing (VI), Supervision and Enforcement (VII), Delegated and Implementing Acts (VIII), and Final Provisions (IX) including transposition deadlines and the repeal of the first NIS Directive.
Related instruments
- Directive (EU) 2016/1148 — This Directive repeals and replaces Directive (EU) 2016/1148 (the first NIS Directive), expanding its scope and strengthening security requirements.
- Directive (EU) 2022/2557 — This Directive is linked to the Resilience of Critical Entities (CER) Directive. Entities identified as critical under the CER Directive are automatically considered essential entities under this Directive, ensuring alignment between physical and cyber resilience.
- Regulation (EU) 2022/2554 — This Regulation on digital operational resilience for the financial sector (DORA) is considered a sector-specific Union legal act. Financial entities compliant with DORA's equivalent requirements are exempt from corresponding obligations under this Directive.
- Regulation (EU) 2016/679 (32016R0679) — This Directive is without prejudice to the General Data Protection Regulation (GDPR). It specifies that competent authorities must inform data protection authorities of incidents that entail a personal data breach.
What LegalViz.EU helps with: faster reading of EU laws, quick jumps between articles and recitals, and easier orientation inside long regulations.
Articles
- Article 1
- Article 2
- Article 3
- Article 4
- Article 5
- Article 6
- Article 7
- Article 8
- Article 9
- Article 10
- Article 11
- Article 12
- Article 13
- Article 14
- Article 15
- Article 16
- Article 17
- Article 18
- Article 19
- Article 20
- Article 21
- Article 22
- Article 23
- Article 24
- Article 25
- Article 26
- Article 27
- Article 28
- Article 29
- Article 30
- Article 31
- Article 32
- Article 33
- Article 34
- Article 35
- Article 36
- Article 37
- Article 38
- Article 39
- Article 40
- Article 41
- Article 42
- Article 43
- Article 44
- Article 45
- Article 46
Recitals
- Recital 1
- Recital 2
- Recital 3
- Recital 4
- Recital 5
- Recital 6
- Recital 7
- Recital 8
- Recital 9
- Recital 10
- Recital 11
- Recital 12
- Recital 13
- Recital 14
- Recital 15
- Recital 16
- Recital 17
- Recital 18
- Recital 19
- Recital 20
- Recital 21
- Recital 22
- Recital 23
- Recital 24
- Recital 25
- Recital 26
- Recital 27
- Recital 28
- Recital 29
- Recital 30
- Recital 31
- Recital 32
- Recital 33
- Recital 34
- Recital 35
- Recital 36
- Recital 37
- Recital 38
- Recital 39
- Recital 40
- Recital 41
- Recital 42
- Recital 43
- Recital 44
- Recital 45
- Recital 46
- Recital 47
- Recital 48
- Recital 49
- Recital 50
- Recital 51
- Recital 52
- Recital 53
- Recital 54
- Recital 55
- Recital 56
- Recital 57
- Recital 58
- Recital 59
- Recital 60
- Recital 61
- Recital 62
- Recital 63
- Recital 64
- Recital 65
- Recital 66
- Recital 67
- Recital 68
- Recital 69
- Recital 70
- Recital 71
- Recital 72
- Recital 73
- Recital 74
- Recital 75
- Recital 76
- Recital 77
- Recital 78
- Recital 79
- Recital 80
- Recital 81
- Recital 82
- Recital 83
- Recital 84
- Recital 85
- Recital 86
- Recital 87
- Recital 88
- Recital 89
- Recital 90
- Recital 91
- Recital 92
- Recital 93
- Recital 94
- Recital 95
- Recital 96
- Recital 97
- Recital 98
- Recital 99
- Recital 100
- Recital 101
- Recital 102
- Recital 103
- Recital 104
- Recital 105
- Recital 106
- Recital 107
- Recital 108
- Recital 109
- Recital 110
- Recital 111
- Recital 112
- Recital 113
- Recital 114
- Recital 115
- Recital 116
- Recital 117
- Recital 118
- Recital 119
- Recital 120
- Recital 121
- Recital 122
- Recital 123
- Recital 124
- Recital 125
- Recital 126
- Recital 127
- Recital 128
- Recital 129
- Recital 130
- Recital 131
- Recital 132
- Recital 133
- Recital 134
- Recital 135
- Recital 136
- Recital 137
- Recital 138
- Recital 139
- Recital 140
- Recital 141
- Recital 142
- Recital 143
- Recital 144