[co-authors: Amelie Ksinsik, Michelle Mayer]
The Network and Information Security 2 Directive (EU) 2022/2555 (“NIS2”) entered into force on 16 January 2023. NIS2 sets cyber rules for organizations whose services are considered essential or important for maintaining critical societal and economic activities, such as ensuring the flow of energy or financial transactions. As a Directive, NIS2 must be transposed into the national laws of the EU Member States before it can take direct effect. NIS2 generally requires Member States to adopt national implementing measures by 17 October 2024 and apply such measures from 18 October 2024.
This Legal Update provides a brief overview of the key points of NIS2 and shows the current status of implementation in the EU Member States.
WHICH ORGANIZATIONS ARE IN SCOPE?
NIS2 applies to organizations that operate in certain sectors, which are listed in Annexes I and II of NIS2. Compared to the previous NIS Directive (EU) 2016/1148 (“NIS“), NIS2 covers a broader range of sectors, as illustrated below:
Unlike NIS, NIS2 establishes uniform criteria for determining which entities operating in these sectors fall within its scope. All entities…
