The digitalisation of society is advancing relentlessly. There is almost no area left that is unaffected in some way. However, the digital space also poses a security risk. In order to mitigate risks, the EU has introduced or is introducing a wide range of cyber security laws, leaving businesses subject to a difficult and sometimes confusing regulatory framework.
This article provides a brief overview of the central EU regulations concerning cyber security compliance.
NIS2 Directive
Directive (EU) 2022/2555 or the NIS2 Directive (NIS2) standardises new obligations for critical infrastructure entities. NIS2 lays down measures that aim to achieve a high common level of cyber security across the Union. It defines two groups of entities that provide critical services in eighteen sectors in the EU which are regulated according to size. Essential entities are large enterprises from Annex 1 sectors of NIS2 (eg energy, health). Important entities are medium enterprises from all Annex I and Annex II sectors as well as large enterprises from Annex II (eg postal and courier services). What constitutes medium-sized and large companies is regulated in accordance with
