Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)

Author (Corporate)	Council of the European Union, European Parliament
Series Title	Official Journal of the European Union
Series Details	L 333, Pages 80-152
Publication Date	27/12/2022
Content Type	Blog & Commentary, Legislation, News, Policy-making
	Summary: Directive (EU) 2022/2555 - formally adopted by the co-legislators on 14 December 2022 - revising the legislative framework concerning cyber-security across the European Union (EU). It revises and repeals Directive (EU) 2016/1148 (NIS Directive). It also introduces amendments to Regulation (EU) No 910/2014 and Directive (EU) 2018/1972. The Act is known as the NIS2 Directive. This is a text with EEA relevance. Further information: This Directive lays down obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity and computer security incident response teams (CSIRTs). It also sets out cybersecurity risk-management measures and reporting obligations for a number of entities, rules and obligations on cybersecurity information sharing, and supervisory and enforcement obligations in Member States. Directive (EU) 2016/1148 - also known as the NIS Directive - was the first piece of EU-wide legislation on cybersecurity and has provided legal measures to boost the overall level of cybersecurity in the European Union. The need for a legislative revision arose from the increased digitisation of the internal market and an evolving cyber security threat landscape. The review also addressed several weaknesses that prevented the NIS Directive from unlocking its full potential. The draft law was adopted by the European Commission on 16 December 2020, as part of a package which also includes a new EU Cybersecurity Strategy. It sought to modernise the legal framework, covering medium and large entities from more sectors based on their criticality for the economy and society. The European Parliament adopted a negotiating position on 22 November 2021. The Council of the European Union adopted its general approach on 3 December. An informal agreement between the co-legislators on a compromise text for this file was reached on 13 May 2022. This was formally endorsed by the Parliament's plenary on 10 November and by the Council on 28 November. The Act was signed by the co-legislators on 14 December 2022 and published in the Official Journal on 27 December 2022.
Source Link	Primary Source http://data.europa.eu/eli/dir/2022/2555/oj
Related Links	Commentary and Analysis EPRS: Briefing, February 2021: Improving the common level of cybersecurity across the EU (Initial Appraisal of a European Commission Impact Assessment) https://www.europarl.europa.eu/thinktank/en/document.html?reference=EPRS_BRI(2021)662606 BEUC: Position Paper, May 2021: Review of the Network and Information Systems Directive (NIS 2) https://www.beuc.eu/publications/review-network-and-information-systems-directive-nis2 KU Leuven: CiTiP Blog, 04/05/2021: The NIS2 proposal: which regulatory challenges for healthcare cybersecurity? https://www.law.kuleuven.be/citip/blog/the-nis2-proposal-which-regulatory-challenges-for-healthcare-cybersecurity/ Information Technology Industry Council (ITI): Event, 27/05/2021: Cybersecurity 2.0: How can the EU’s NIS2 Proposal Advance Cybersecurity in Europe? https://www.youtube.com/watch?v=vANoxX-SEyc ORGALIM: Position Paper, 11/06/2021: Digital Transformation: Position Paper on the European Commission’s proposal for a Directive on measures for a high common level of cybersecurity across the European Union (NIS2) https://orgalim.eu/position-papers/digital-transformation-position-paper-european-commissions-proposal-directive Internet Society: Blog, 15/10/2021: European Union’s Network and Information Security Directive Threatens Internet with Fragmentation and Creates Security Risks https://www.internetsociety.org/blog/2021/10/european-unions-network-and-information-security-directive-threatens-internet-fragmentation-and-creates-security-risks/ CENTR: Blog, 18/10/2021: NIS 2: pay attention or pay the costs https://www.centr.org/news/blog/nis2-costs.html Euronews: View, 06/11/2021: Why is the European Union trying to break the Internet? \| View https://www.euronews.com/2021/11/06/why-is-the-european-union-trying-to-break-the-internet-view Huawei: Blog, 08/11/2021: NIS 2: EU Reviews Rules for Network and Information System Security https://blog.huawei.com/2021/11/08/nis2-eu-rules-governing-security-networks-information-systems/ European Data Journalism Network: News, 02/12/2021: Brussel’s plan to protect the EU from cyberattacks https://www.europeandatajournalism.eu/eng/News/Data-news/Brussel-s-plan-to-protect-the-EU-from-cyberattacks Pinsent Masons: Out-Law News, 07/12/2021: EU Council of Ministers agrees position on ‘NIS2’ cyber law https://www.pinsentmasons.com/out-law/news/eu-council-of-ministers-agrees-position-nis2-cyber-law IAPP: News, 13/05/2022: EU institutions reach provisional agreement on cybersecurity directive https://iapp.org/news/a/eu-institutions-have-provisional-agreement-on-cybersecurity-directive/ EPRS: Briefing, June 2022: The NIS2 Directive: A high common level of cybersecurity in the EU https://www.europarl.europa.eu/thinktank/en/document.html?reference=EPRS_BRI(2021)689333 EPRS: At a Glance, November 2022: A high common level of cybersecurity – NIS2 https://www.europarl.europa.eu/thinktank/en/document/EPRS_ATA(2022)738184 News Euronews, 13/05/2022: EU governments, lawmakers agree on tougher cybersecurity rules for key sectors https://www.euronews.com/next/2022/05/13/eu-cybersecurity Politico, 13/05/2022: EU lands new law to fight off hackers in critical sectors https://www.politico.eu/article/eu-lands-new-law-to-fight-off-hackers-in-critical-sectors/ Official EUR-LEX: COM(2020)823: Proposal for a Directive on measures for a high common level of cybersecurity across the Union https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=COM:2020:823:FIN EUR-LEX: SWD(2020)344: Staff Working Document accompanying the Proposal - Executive Summary of the Impact Assessment https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=SWD:2020:344:FIN EUR-LEX: SWD(2020)345: Staff Working Document accompanying the Proposal - Impact Assessment https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=SWD:2020:345:FIN European Parliament: Legislative Observatory: Procedure File for Proposal on a high common level of cybersecurity (2020/0359(COD)) https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?lang=en&reference=2020/0359(COD) European Parliament: Legislative Train Schedule: Review of the Directive on security of network and information systems https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-review-of-the-nis-directive European Commission: Digital Single Market: Cybersecurity https://ec.europa.eu/digital-single-market/en/cybersecurity EU ENISA: Topics: NIS Directive https://www.enisa.europa.eu/topics/nis-directive European Commission: News, 16/12/2020: Proposal for directive on measures for high common level of cybersecurity across the Union https://ec.europa.eu/digital-single-market/en/news/proposal-directive-measures-high-common-level-cybersecurity-across-union European Commission: Press Release, 16/12/2020: New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient https://ec.europa.eu/commission/presscorner/detail/en/IP_20_2391 European Commission: New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient – Questions and Answers https://ec.europa.eu/commission/presscorner/detail/en/qanda_20_2392 European Commission: Opening remarks by Vice-President Margaritis Schinas at the press conference on the cybersecurity strategy https://ec.europa.eu/commission/presscorner/detail/en/speech_20_2460 Council of the European Union: Press Release, 03/12/2021: Strengthening EU-wide cybersecurity and resilience – Council agrees its position https://www.consilium.europa.eu/en/press/press-releases/2021/12/03/strengthening-eu-wide-cybersecurity-and-resilience-council-agrees-its-position/ Council of the European Union: Press Release, 13/05/2022: Strengthening EU-wide cybersecurity and resilience – provisional agreement by the Council and the European Parliament https://www.consilium.europa.eu/en/press/press-releases/2022/05/13/renforcer-la-cybersecurite-et-la-resilience-a-l-echelle-de-l-ue-accord-provisoire-du-conseil-et-du-parlement-europeen/ European Commission: Press Release, 13/05/2022: Commission welcomes political agreement on new rules on cybersecurity of network and information systems https://ec.europa.eu/commission/presscorner/detail/en/ip_22_2985 European Parliament: Press Release, 10/11/2022: Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience https://www.europarl.europa.eu/news/en/press-room/20221107IPR49608/ Council of the European Union: Press Release, 28/11/2022: EU decides to strengthen cybersecurity and resilience across the Union: Council adopts new legislation https://www.consilium.europa.eu/en/press/press-releases/2022/11/28/eu-decides-to-strengthen-cybersecurity-and-resilience-across-the-union-council-adopts-new-legislation/
Subject Categories	Internal Markets, Justice and Home Affairs, Security and Defence
Subject Tags	Cybersecurity \| Cyber-security, Risk \| Crisis Management
Keywords	Data Privacy \| Protection
International Organisations	European Union [EU]

Summary:

Further information: