On 16 December 2020, the EU released its proposed revisions to the existing Directive 2016/1148 on the security of network and information systems (NIS2).
The proposals, which were announced as a key component of the EU’s new Cybersecurity Strategy, are intended to build on and repeal the existing NIS framework. They involve a number of significant changes being made to the existing regime, including widening the scope of the law’s application to additional industry sectors, strengthening the existing rules on security requirements and incident reporting, while also increasing the maximum fines that can be applied.
NIS2 comes just over two years after the original NIS Directive 2016/1148 (“NIS1”) was intended to take effect across EU Member States. It has been introduced in order to address various criticisms and issues identified with NIS1 and to reflect the increasingly widespread digitisation of the European economy, which has accelerated further during the COVID-19 pandemic.
Key changes to existing regime
While the underlying purpose of NIS2 remains the same, there are various notable changes that are being proposed which may substantially impact organisations in…
