The EU’s new NIS2 Directive on Cybersecurity

The EU’s new NIS2 Directive on Cybersecurity

Article by Tsaaro

7 min read

The EU’s new NIS2 Directive on Cybersecurity

On account of the increasing degree of digitization and interconnectedness in society, the European commission noted concern on the rising number of malicious activities at the global level and decided to update the 2016 NIS directive (Directive (EU) 2016/1148). In follow up to the directive proposed in December 2020, the European Parliament and EU member states reached a political agreement for a high common level of cybersecurity across the Union (Network and information systems 2 Directive i.e., the NIS2 Directive). The new directive aims at improving cybersecurity and the resilience of both public and private sector entities in the European Union.

In the series of control over the ill effects of the digital revolution, recently, the European Commission proposed a plan to “detect, report, block, and remove” child sexual abuse images and videos from online service providers, including messaging apps, an action that prompted concerns that it may undermine end-to-end encryption (E2EE) protections. In a similar vein,  the draft version of NIS2 explicitly spells out that the use of E2EE “should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security and to permit the investigation, and detection and prosecution of criminal offences in compliance with Union law.”,


The scope of implementation left to the member states led to fragmentation across states. The reasons for such fragmentation include the unclear delimitation of the NIS Directive’s scope of application, security and incident reporting obligations, and the supervision and enforcement requirements.



With a significant increase in the number of entities covered, the NIS2  obliges more sectors to take technical and organisational measures to manage risks posed to the security of networks and information systems. In fact, where the NIS Directive included in its scope of application operators of essential services and digital services providers, the NIS 2 Directive proposes to replace the same with two new categories of entities

Now the NIS2 Includes:

    • Annex I: ‘Essential sectors’ covered by the new security provisions include: health, energy, transport, banking, digital infrastructure, public administration and space sectors.
    • Annex II: ‘Important sectors’ include: entities manufacturing medical devices, postal services, waste management, food production and processing and digital providers.

Public and Private:

Article 2  of the NIS 2 Directive establishes that the directive applies to certain public and private ‘essential entities’ operating in the sectors listed in Annex I of the Directive (energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, and space) and to certain ‘important entities’ operating in the sectors listed Annex II of the NIS 2 Directive (postal and courier services, waste management, manufacture, productions, and distribution of chemicals, food production, processing, and distribution, manufacturing, and digital providers). In addition, a size-cap rule is introduced, according to which all medium and large entities, as defined by Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises, operating in the above mentioned sectors, would automatically fall within the NIS 2 Directive’s scope of application (Recital 8 of the NIS 2 Directive).

Flagging & Into Effect:

The revamped legislation requires the flagging of cyber security incidents within 24 hours of the reporting, failing which monetary penalties can be imposed. Also, as per the agreement, the European Union member states are mandated to incorporate the provisions into their national law within a period of 21 months from when the directive goes into force.

Note: For the adoption of the NIS2 Directive, both the Parliament and the Council, as co-legislators, will need to agree on the final text.

1 thought on “The EU’s new NIS2 Directive on Cybersecurity”

Leave a Reply

Your email address will not be published. Required fields are marked *

Shubham Bansal

INTRODUCTION:  The enactment of the Digital Personal Data Protection Act, 2023, marks a significant milestone in the realm of data …

Shubham Bansal

Introduction  The introduction of the DPDPA, 2023 has brought in the opportunity for various sectors including the pharma companies to …

Shubham Bansal

INTRODUCTION:  The enactment of data protection legislation across various jurisdictions have necessitated strict mandates to protect people’s personal information. India …

Shubham Bansal

Introduction  In today’s digital age, data protection and privacy are crucial for businesses, especially those operating online. As companies increasingly …

Shubham Bansal

INTRODUCTION Last year, India achieved a significant mark when the long-awaited data protection legislation known as the Digital Personal Data …


Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them