Data regulation and cyber
Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)
Status: In force
The NIS2 Directive repeals and modernises the NIS1 Directive which was the first piece of EU-wide legislation on cybersecurity. The NIS2 Directive extendts the framework to cover further sectors, taking into account the evolving cybersecurity threat landscape since the adoption of NIS1.
NIS2 applies to ‘essential entities’ and ‘important entities’ that provide services or carry out activities within the EU. Essential entities operate in highly critical sectors such as energy, transport, banking, water, financial market infrastructures, health, digital infrastructure, ICT service management (business-to-business), public administration and space. Important entities act in other critical sectors such as (among others) production, processing and distribution of food, manufacturing, production and distribution of chemicals, various other manufacturing and digital providers.
Key obligations for regulated entities:
Breaches of these obligations are subject to severe GDPR-style fines set by national law. The maximum fine must be at least the higher of:
Düsseldorf, Frankfurt am Main